Malicious PDF — malware analysis report

Static analysis result for SHA-256 77b2af102fd61ab3…

MALICIOUS

PDF

87.6 KB Created: 2021-09-01 09:48:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: b7232455c363f4af5b7a728fcd579941 SHA-1: fdd2fab4eb299f001784193f4448569a5c302b4c SHA-256: 77b2af102fd61ab3b9ab985ba6ca3de9872aad6ac2c0d54c0d39707b0b84a1e2
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged by multiple heuristics as malicious, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. It contains numerous links pointing to compromised WordPress sites and disposable hosting, suggesting a link farm designed to redirect users to malicious content. The ML classifier also strongly indicated maliciousness. While no scripts were explicitly extracted, the nature of the links and the detection names suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9957

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cor.org.ar/wp-content/plugins/super-forms/uploads/php/files/c32m373uh9ibd6c3mjiottha8k/33158079885.pdf
    • http://www.polni.si/Images/files/49222666253.pdf
    • https://www.kalirich.com/wp-content/plugins/super-forms/uploads/php/files/a0hfinepugrcq3js6v8vd76vq5/67188477519.pdf
    • http://www.putnamtaxi.net/wp-content/plugins/formcraft/file-upload/server/content/files/160984aa582ce1---40055504084.pdf
    • https://communeouchamps.fr/userfiles/file/tafokevuwigotudetepute.pdf
    • http://amandatravel.com/userfiles/file/fopaxofupamo.pdf
    • http://www.cargeacrew.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16082071c599b4---59828784691.pdf
    • https://saftanton.dk/wp-content/plugins/formcraft/file-upload/server/content/files/1606efe89e50ae---bexapenimov.pdf
    • https://agrachoff.ru/wp-content/plugins/super-forms/uploads/php/files/061c932a1a40d6888480308bfc96dce8/bogepifoterorovapanase.pdf
    • http://www.tekkoo.net/images/library/File/84756844094.pdf
    • http://k-yoga.org/file_upload/spaw_upload/file/20210507130741.pdf
    • http://www.sparkprototypes.com/wp-content/plugins/formcraft/file-upload/server/content/files/160f20f4a8d20a---fezagesigef.pdf
    • https://motionslam.com/wp-content/plugins/super-forms/uploads/php/files/7f6273584fdad42a205365d9804c4e86/fevivinixetitoz.pdf
    • http://erex.hu/upload/file/bolovizanufavejegadozaw.pdf
    • http://vilaportugal.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b0bb5925926---daxixavaka.pdf
    • http://uchid.com/uploads/file/dudevoxobezodojajanupizix.pdf
    • http://www.festivalmarrakech.info/wp-content/plugins/formcraft/file-upload/server/content/files/160ab388cb7008---17536236201.pdf
    • http://www.investinwielkopolska.pl/application/lib/ckfinder/userfiles/files/39214004943.pdf
    • https://mebelihome.ru/upload_picture/48076394123.pdf
    • https://www.mercedesbenzofaustinservice.com/wp-content/plugins/formcraft/file-upload/server/content/files/160de380ebb06e---sopoj.pdf
    • https://aldea.work/wp-content/plugins/super-forms/uploads/php/files/b56a4ee1d8a1c53d60608810480e89d2/13243593891.pdf
    • http://nd-58.ru/wp-content/plugins/super-forms/uploads/php/files/b640f2793c3e6e0ea835376a696962dc/bugigibomebezimerepulu.pdf
    • http://ne-moloko.ee/wp-content/plugins/super-forms/uploads/php/files/32e15d632ef45901c2059afb1e48c9cc/wumodomu.pdf
    • https://eandjfamilyhealthcenter.com/wp-content/plugins/super-forms/uploads/php/files/c534febd39440647b9b044942f50128b/marilodesosopomakib.pdf
    • https://cananalimdar.com/wp-content/plugins/super-forms/uploads/php/files/51e045ielvrbm0kkh58sefnoae/wagudabezijomid.pdf
    • http://qdsenfeng.com/data/files/92155509446.pdf
    • https://feedproxy.google.com/~r/skout/mBVl/~3/ngfLrbzwjls/uplcv?utm_term=network+usage+view
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f231.bin
412fefe8d7a1bb273c917f378d96af8ab2033f501f53457d5b183c03de93b045		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF231 17740 bytes
font_01_sfnt_off00012057.bin
5e7e982bd0e5212461b3a1fd1f9ee412468a90a45377e3a27d9a621655a4b1b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12057 10452 bytes
font_02_sfnt_off0001385e.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1385E 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.