Malicious PDF — malware analysis report

Static analysis result for SHA-256 7845714a18d4e0e5…

MALICIOUS

PDF

87.1 KB Created: 2021-07-09 00:01:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-25
MD5: 9f7a201e09d4074fed6c3afe5a13f7d8 SHA-1: a6dcae54211e743d67ad5eb8bec383cddca8f161 SHA-256: 7845714a18d4e0e59c3c64543ce22d2e0f161fc0292ff501e3be041abb88c824
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It functions as a link farm, with numerous embedded URLs pointing to compromised WordPress sites, likely serving as a distribution point for phishing or malware. The presence of a 'download button' heuristic further supports a lure-based attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9835

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://wastran.ru/uplcv?utm_term=after+effects+mocha+ae PDF link annotation
    • http://gostium.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b7841a14d15---61066007570.pdfIn PDF document text
    • https://hightechrustremovers.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1606d3e420964a---90571799870.pdfIn PDF document text
    • https://spaslask.pl/wp-content/plugins/super-forms/uploads/php/files/3is6ech03n60s5luhf5rmt0nlp/80753236987.pdfIn PDF document text
    • https://www.cocochan.com.pk/wp-content/plugins/super-forms/uploads/php/files/0463be9ffbb5230930a689df0d07b1b3/xawalepikuwagez.pdfIn PDF document text
    • http://www.amedna.com/userfiles/files/8109844073.pdfIn PDF document text
    • http://www.1atlanticfunding.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b8b435f3c9---66629104901.pdfIn PDF document text
    • https://gmonlinestore.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608717d41c5b6---famoxexog.pdfIn PDF document text
    • https://www.asahinafunnels.com/wp-content/plugins/super-forms/uploads/php/files/f662qq8s0hal7dmo4pcu6opq79/gadagulizepubomumu.pdfIn PDF document text
    • https://contabil-fiscal.ro/mm/file/23096193393.pdfIn PDF document text
    • https://alenakovalchuk.ru/wp-content/plugins/super-forms/uploads/php/files/9604b261f8dfa64d58a38f9d4d53d072/50704894869.pdfIn PDF document text
    • https://facades-metal.ch/ckfinder/userfiles/files/mekiwakutoboxixebas.pdfIn PDF document text
    • https://samarpanbharat.org/trila/userfiles/file/seroradakanopulitafumam.pdfIn PDF document text
    • http://dekoblickfang.de/userfiles/file/jozewazewifini.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160872abbd60d1---65583962817.pdfIn PDF document text
    • http://www.lavalledesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/160add224bd1bd---22896741652.pdfIn PDF document text
    • http://xn--22cjbbm2eyae3ehabdb4kqdtae3dxnnc1fhf.com/user_img/files/60966499026.pdfIn PDF document text
    • https://davebakeragency.com/wp-content/plugins/super-forms/uploads/php/files/daa45ef4919ef5850d3004f83cda4f19/pesojogezepiwemazakida.pdfIn PDF document text
    • http://mouaumfb.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bd2e7b1cc8a---jadobuvusiwifigatuwijik.pdfIn PDF document text
    • https://space1500.com/wp-content/plugins/super-forms/uploads/php/files/1f50472ec69d14d214eddf9d2b014dd0/fakige.pdfIn PDF document text
    • https://ambientltg.com/wp-content/plugins/super-forms/uploads/php/files/976cc7e81c62b48ddcfca209f050336e/23347260878.pdfIn PDF document text
    • https://ratco-hardware.com/Ups/files/21449018175.pdfIn PDF document text
    • https://mamotato.ro/userfiles/file/pukesub.pdfIn PDF document text
    • http://learningkey.org/userfiles/lewaw.pdfIn PDF document text
    • https://mavibusiness.it/file/galetusitolijusolozabeso.pdfIn PDF document text
    • http://teraval.cz/res/file/23530457354.pdfIn PDF document text
    • http://www.nuricomuvakfi.org/wp-content/plugins/super-forms/uploads/php/files/dm0b4mdlljdvdrvi6aeflh06r7/85057684198.pdfIn PDF document text
    • http://oreade-breche.fr/userfiles/file/38767328570.pdfIn PDF document text
    • http://bizwd.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a974048c736---jaxuzusapelizezapijek.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f21e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF21E 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off00010a30.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10A30 17324 bytes
SHA-256: 6a2dcc86e6e5ea8b52dfd54cce989281da61babe977a070e174e96a60d01c7d9
font_02_sfnt_off000137a9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x137A9 10340 bytes
SHA-256: 1db66434965367c07d709b1661a11e511872eb877db8827974ce5f84302c3968

Open this report in the interactive analyzer, or submit your own file for analysis.