Malicious PDF — malware analysis report

Static analysis result for SHA-256 75d6512ed949a4e8…

MALICIOUS

PDF

263.0 KB Created: 2021-05-09 22:42:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-25
MD5: 02f8e46373f2ead2caeb870b3ab583aa SHA-1: dca80a62164c303816ab4e13b1419f17f9af0cef SHA-256: 75d6512ed949a4e808a077aa188096dc47471e70a828e102de6aa95756128f13
166 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristics reveal it uses SEO redirectors and links to compromised CMS upload storage, suggesting a phishing or malware distribution scheme. Although no scripts were extracted, the presence of external URIs and the overall detection profile point towards a spearphishing attachment attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://realimpacto.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160769e3ad4ea5---kilokinanekekupesekamusuj.pdf In PDF document text
    • https://na-nule.ru/wp-content/plugins/super-forms/uploads/php/files/chb5fniq6pv9d06l27nihgqrm6/bemidisalofujivefike.pdfIn PDF document text
    • http://www.opencalgary.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607705904aa0c---xuzekososagusubisevixiz.pdfIn PDF document text
    • https://izharfoster.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608ab602ea987---vifuxigoji.pdfIn PDF document text
    • https://sipsib.ru/wp-content/plugins/super-forms/uploads/php/files/419273d45a4dadb7e0ace3fba32af151/xavozuraramubudo.pdfIn PDF document text
    • https://teplitsyoptom.ru/wp-content/plugins/super-forms/uploads/php/files/968fd24c64fc69ccbaa3aec69bff19be/31591735556.pdfIn PDF document text
    • http://www.loockuniformes.com.br/home/wp-content/plugins/formcraft/file-upload/server/content/files/16072aae957b12---sofekevunalowux.pdfIn PDF document text
    • https://flexrocksrollovers.com/wp-content/plugins/super-forms/uploads/php/files/42pi7e00h7sp2ogvljsusahdnf/14123293234.pdfIn PDF document text
    • https://thesaddlebank.com/wp-content/plugins/super-forms/uploads/php/files/lqne29mv77e6p8g1tt761gmcqc/2389354228.pdfIn PDF document text
    • https://saraelv.no/wp-content/plugins/formcraft/file-upload/server/content/files/16082438132f8f---mabunutelejesavisovesivu.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160821e2c1330e---dinobomanusijisor.pdfIn PDF document text
    • https://realwebguys.com/wp-content/plugins/formcraft/file-upload/server/content/files/16074d40d30af3---lakazawemele.pdfIn PDF document text
    • https://ahi.com.ua/wp-content/plugins/super-forms/uploads/php/files/12e2aa2c23972a756f9f6070202e37fd/65867174903.pdfIn PDF document text
    • https://chocoinmobiliario.com/wp-content/plugins/super-forms/uploads/php/files/b50021be4123fe06efe0ba824a058414/jigeri.pdfIn PDF document text
    • http://andreagarciam.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608d455e983fd---26554553291.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/1KS0DP0cxss/uplcv?utm_term=legacy+of+the+void+campaign+unit+guidePDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0003bc93.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3BC93 5368 bytes
SHA-256: 94d2bc2816698d864f7e92218ed3b1f3fca3f9e662869889003784477b3c0421
font_01_sfnt_off0003ceca.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3CECA 10928 bytes
SHA-256: a9a94ecd52eb144ad3492d13a479d8aa19eb5b5e229d0aa2a2451d080c205bdc
font_02_sfnt_off0003f3f1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3F3F1 17408 bytes
SHA-256: b777268d75d598bde6f8301a07d08315cac8a03fa6ca24d4fe8223bb5c54c1e7