Malicious PDF — malware analysis report

Static analysis result for SHA-256 75e11da4bde69904…

MALICIOUS

PDF

91.1 KB Created: 2021-06-27 02:25:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-14
MD5: c3af04ae381e9314b30f59873fb76430 SHA-1: 974fff6df44601b1a3d74dfef1039e29667beafd SHA-256: 75e11da4bde6990460a4f65599e70c28525d406ca0c213e42326583726c91cf4
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier. The 'SE_CLICKFIX' heuristic indicates a social engineering attack designed to trick users into running commands. The document body is heavily obfuscated, but the heuristics suggest it functions as a link farm, potentially leading to further malicious content or phishing attempts. Several URLs were extracted, some pointing to compromised CMS uploads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://starlightcelebre.org/clients/4/43/43e9139217482d7666ce300faf566241/File/vuxapevijeririfepajosurem.pdf In PDF document text
    • https://moma-restaurant.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a1c7f27f435---73167761164.pdfIn PDF document text
    • http://bioscipublisher.com/files/upfiles/file/32963957207.pdfIn PDF document text
    • https://www.enviedecrire.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a652fbdf02e---30460914289.pdfIn PDF document text
    • http://anhbanglaw.com/userfiles/file/88166055099.pdfIn PDF document text
    • https://securitydm.com/slicice/file/delukenelasevanelumupeda.pdfIn PDF document text
    • http://dj-venci.com/uploads/pages/files/gorineseviposuw.pdfIn PDF document text
    • https://hps-gruppe.com/wp-content/plugins/super-forms/uploads/php/files/1ob9rrvhb0dl076babq32h53dn/91604865148.pdfIn PDF document text
    • https://webtraffic.ch/wp-content/plugins/super-forms/uploads/php/files/35lpfsuep7os7bp6hd462fod61/mabebesadopurixinemikumo.pdfIn PDF document text
    • https://www.colegiodesafio.net/home/wp-content/plugins/formcraft/file-upload/server/content/files/160d392a07c329---7884967570.pdfIn PDF document text
    • http://www.hcibatiment.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160a05049a486a---4656303091.pdfIn PDF document text
    • http://davcpundri.com/css/file/lilabuxasuzadomevake.pdfIn PDF document text
    • http://discoveryenglish.org/wp-content/plugins/formcraft/file-upload/server/content/files/160a896f71ba4e---guvaminowapasudebosopoje.pdfIn PDF document text
    • https://maidintown.co.uk/wp-content/plugins/super-forms/uploads/php/files/02cdc630536963f51fd89a0e214312a9/87638413834.pdfIn PDF document text
    • http://ttlengenharia.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1606ff7e701028---84621168531.pdfIn PDF document text
    • https://www.limratechnologies.net/wp-content/plugins/formcraft/file-upload/server/content/files/16083c8bc7ce9d---7998498182.pdfIn PDF document text
    • http://vencedor.coop/images/admin/file/5490038827.pdfIn PDF document text
    • https://europeancustomtailor.com/wp-content/plugins/super-forms/uploads/php/files/4d6ca8ef8b445fe3c16d1e741ab3f63d/69485089835.pdfIn PDF document text
    • http://feach.ie/images/uploads/file/razedajivonawime.pdfIn PDF document text
    • https://www.pietri-automobiles.com/wp-content/plugins/super-forms/uploads/php/files/9030132pofg1b2o2t1vr39apqn/pelojesizowe.pdfIn PDF document text
    • https://bentzendesign.se/wp-content/plugins/formcraft/file-upload/server/content/files/160837ae223ca2---kosumiwufedi.pdfIn PDF document text
    • http://ptk-astana.kz/wp-content/plugins/super-forms/uploads/php/files/8b5ddeca6c9ad2900cdb4d72c738d726/65627294327.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1KS0DP0cxss/uplcv?utm_term=how+to+lower+your+ping+in+fortnitePDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ff86.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFF86 17544 bytes
SHA-256: 4a1638481b8d5f9e80b5f7e65d38504749b290b010660d084a3dbe68261326c0
font_01_sfnt_off00012d86.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12D86 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off0001459d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1459D 10496 bytes
SHA-256: 74f0cd691d3835182cdf305a6842ada686d7026ee61f3bc8602d7bbe207d26ca