Malicious PDF — malware analysis report

Static analysis result for SHA-256 76edd2d51f2c1c2b…

MALICIOUS

PDF

82.0 KB Created: 2021-09-06 01:19:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-05
MD5: ceea0b50b206e9a657673ae181c0c9dd SHA-1: de74e74b8c1cfecdbf3e08ebb658f9a077c5c9ad SHA-256: 76edd2d51f2c1c2b6ff5236177ba5b5f59705004253848b6202552c533073b36
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs that point to compromised WordPress sites and other disposable hosting, indicating a link farm designed to distribute malicious content. The ClamAV detection and ML classifier strongly suggest a phishing or trojan payload is intended. No scripts were extracted, but the structure and URL patterns are consistent with a phishing lure, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9933

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://smidgel.ru/uplcv?utm_term=icc+ucpdc+600+pdf PDF link annotation
    • https://beachesbrewing.com/wp-content/plugins/super-forms/uploads/php/files/1d1335a2afbe279208f8e8498dfc0ae4/zasavofivixupowukeviku.pdfIn PDF document text
    • http://artwatch.ru/userfiles/file/2487350007.pdfIn PDF document text
    • https://cgeminfos.ma/upload/file/12820865813.pdfIn PDF document text
    • https://vanvoorst.info/uploaded/file/67664457985.pdfIn PDF document text
    • http://www.mtpartnersfl.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b412c300378---53639611294.pdfIn PDF document text
    • http://5thaveseniors.org/userfiles/file/vafoluxof.pdfIn PDF document text
    • https://ifbscalidad.eus/files/galeria/files/62283902797.pdfIn PDF document text
    • https://birudongker.com/contents//files/45918668347.pdfIn PDF document text
    • https://www.web2business.pt/wp-content/plugins/formcraft/file-upload/server/content/files/1609a57834fc36---93979439476.pdfIn PDF document text
    • http://lycee-elm.org/userfiles/file/tezabufijekomuku.pdfIn PDF document text
    • http://guyfamilyreunion.com/clients/41950/File/mopobebeto.pdfIn PDF document text
    • https://sandzak.best/wp-content/plugins/super-forms/uploads/php/files/4868cc5cab16a76716cff2a8c36ffd2b/39875375528.pdfIn PDF document text
    • http://longchimvac.net/app/webroot/uploads/files/devipozadimosido.pdfIn PDF document text
    • http://protech.com.ng/wp-content/plugins/formcraft/file-upload/server/content/files/160adf1ea7e203---72504577275.pdfIn PDF document text
    • https://nobleanimalsanctuary.org/wp-content/plugins/super-forms/uploads/php/files/tmp/gijeritod.pdfIn PDF document text
    • http://www.temaricerca.com/entry2013new/admindia/ckfinder/userfiles/files/93966111011.pdfIn PDF document text
    • https://likeevent.it/writable/public/userfiles/file/duxum.pdfIn PDF document text
    • http://promocode.lu/userfiles/files/10946905124.pdfIn PDF document text
    • https://realwebguys.com/wp-content/plugins/formcraft/file-upload/server/content/files/16070944f072d6---2110869712.pdfIn PDF document text
    • https://alfa-clining.ru/wp-content/plugins/super-forms/uploads/php/files/f8b21bf2d7b3e03a8341168a57982610/wujuriguvewudofu.pdfIn PDF document text
    • http://championshipsportsrings.com/clients/23492/File/62931408562.pdfIn PDF document text
    • http://iwayman.com/uploadfiles/file/210901041304536476tjsggh.pdfIn PDF document text
    • http://kenzoum.org/home/integrity/public_html/ckfinder/userfiles/files/36855766202.pdfIn PDF document text
    • http://jamoncup.es/wp-content/plugins/formcraft/file-upload/server/content/files/160a1bd6e513eb---49496192085.pdfIn PDF document text
    • http://come2menorca.com/images/file/kemuvefukevukarixupeme.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000be22.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBE22 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000d634.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD634 22504 bytes
SHA-256: f5c225999653c68aaa734a2b78a07a70a067dc520d3f8c1c75e6906c93232a36
font_02_sfnt_off00010e1f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10E1F 9932 bytes
SHA-256: 3f3d56015e7fe30f7005f04496240a027e69b6e43aa695b6feef87bc9719b1f5
font_03_sfnt_off0001241a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1241A 16368 bytes
SHA-256: 9a66027963beb4f7144b71894ef6e28ea645eed8fda672dc3e1e1f3663a1039f