Malicious PDF — malware analysis report

Static analysis result for SHA-256 75a1423d26491f2d…

MALICIOUS

PDF

98.6 KB Created: 2021-07-10 13:12:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 06a210f412eca394657176f1b43b666b SHA-1: 40336193f67c0264190f3a57e43433c4f65fca6d SHA-256: 75a1423d26491f2d4cf09f503b4d57d483743a2144b63c376fec818270fe3486
204 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF contains embedded JavaScript and numerous links to external sites, many of which are hosted on compromised WordPress installations or disposable domains. The ClamAV detection and ML classifier strongly indicate malicious intent, likely to redirect the user to a phishing page or download a second-stage payload. The embedded JavaScript is a common technique for initiating exploits or further malicious actions.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9784

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.phuongdonggolf.vn/app/webroot/uploads/files/kenejafubu.pdf
    • http://perechen-jurnalov.ru/js/ckfinder/userfiles/files/89258154936.pdf
    • http://xn----8sbnbd9chja.xn--p1ai/userfiles/file/zigipuluwevigidijapawovuk.pdf
    • https://www.hospedeagora.com.br/wp-content/plugins/super-forms/uploads/php/files/t5dl994tguntlgfmltegg1d33u/zufuxepupov.pdf
    • https://www.alignerco.ca/wp-content/plugins/super-forms/uploads/php/files/0ad5913c293242be51181efc82aa577a/xizefodafetosumikeluno.pdf
    • https://loctra.net/userfiles/file/betavepepo.pdf
    • https://coloreverything.love/wp-content/plugins/super-forms/uploads/php/files/42457909d2b1c014f756749e1eca8719/kiragulemuwonin.pdf
    • http://www.adanakursmerkezi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a287268897d---midoxajaleni.pdf
    • http://hccc252.ca/clients/e/e4/e484b38507f190a955b66748903449e1/File/51979730139.pdf
    • https://wulf-sanitaer.de/wp-content/plugins/super-forms/uploads/php/files/akskh6apuhloffaeuamtgs3bss/tumuvubemikarab.pdf
    • https://yarsan.ru/wp-content/plugins/super-forms/uploads/php/files/40d6346f9d617b454a4dca8841291de9/84043935.pdf
    • https://www.kiteschule-eckernfoerde.de/wp-content/plugins/formcraft/file-upload/server/content/files/160932df76f6a5---27671953329.pdf
    • https://cashofferoregon.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609b9640799e6---89376484911.pdf
    • http://vibrosystem.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1607ef868b6c64---8017359115.pdf
    • https://kocarbonag.com/luutru/files/88547716957.pdf
    • http://www.ncstarim.com.tr/wp-content/plugins/super-forms/uploads/php/files/1du24gv17tri3da3maijatjs20/57101865452.pdf
    • http://bahsclassof1965.com/clients/1/1d/1db829f64c2e26d3b32b12ccabba4d7c/File/zogurejalujadaloj.pdf
    • https://www.sidertest.it/wp-content/plugins/formcraft/file-upload/server/content/files/1609c47e8b5f7c---fivogujiti.pdf
    • http://argra.rs/wp-content/plugins/formcraft/file-upload/server/content/files/1607baddf8ac76---ritovosilizagusodifufabos.pdf
    • https://anyimaker.com/upload/users/files/jadisamixenisi.pdf
    • https://xn--i1aam8cb.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/6adbc6bbcf94524c5e1a50d281527e57/vemakibewoma.pdf
    • http://www.linkkorea.co.kr/wp-content/plugins/formcraft/file-upload/server/content/files/1609211d7c48ce---71595157047.pdf
    • http://erdivigado.hu/userkepek/file/sakuke.pdf
    • https://pelicanfinancialnetwork.com/ckfinder/userfiles/files/18813400346.pdf
    • https://luxartparquet.com/wp-content/plugins/super-forms/uploads/php/files/3ceabf18dfda241b72907b8f445916b0/35669370091.pdf
    • https://mymovingestimate.com/wp-content/plugins/super-forms/uploads/php/files/c1e39ee84d3d39a9601885d35e6bbcff/19243020503.pdf
    • https://aawyx.com/sites/default/imageuser/file/vuxuguzit.pdf
    • http://www.sunarnuricomuisvealisverismerkezi.com/wp-content/plugins/super-forms/uploads/php/files/l41chkntvd6jbn57plpk34n1d5/30081053713.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/A3Ryygt5BCM/uplcv?utm_term=gulliver+travels+story+in+english+pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011e93.bin
82bca33a13967a5ae856e62c831dc6ee652ba4d6e633272bba090e2838e45c50		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E93 11096 bytes
font_01_sfnt_off0001383e.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1383E 16792 bytes
font_02_sfnt_off00015050.bin
ddea62ee774027a4f515046868857d8a27822e912c1ed17ce945af67c7e83ac5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15050 16996 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.