Malicious PDF — malware analysis report

Static analysis result for SHA-256 78773c08df36537d…

MALICIOUS

PDF

83.0 KB Created: 2021-09-06 08:06:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: b930ed16461e76d18b7d8f63e4172703 SHA-1: ddde4fe8eab726503d3bc86948940d3923f99fb1 SHA-256: 78773c08df36537d22a607a9521d678ad46c99f515b68d399f077683951d739c
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link

The PDF file contains numerous embedded URLs that point to various websites, many of which appear to be compromised WordPress installations or disposable hosting. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates a link farm strategy, likely intended to redirect users to malicious content or phishing pages. The ML classifier and ClamAV detection strongly suggest malicious intent, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9955

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pixomot.ru/uplcv?utm_term=computer+virus+name+list+pdf PDF link annotation
    • https://shen-su.eu/gfx/userfiles/files/buzikep.pdfIn PDF document text
    • http://uyaviation.com/wp-content/plugins/formcraft/file-upload/server/content/files/161106dc5cd5bc---68216491164.pdfIn PDF document text
    • http://chicagohalo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ad1f0b63bea---49588535839.pdfIn PDF document text
    • http://sromedical.com/file_media/file_image/file/xerivu.pdfIn PDF document text
    • https://tavio.ru/files/file/zodogovuvozajopixa.pdfIn PDF document text
    • https://e-lightingcontrols.com/wp-content/plugins/super-forms/uploads/php/files/bfe4b5c258f7a053ab6fb43da5e4935a/reledinuvinakixik.pdfIn PDF document text
    • https://ethiquedevelopers.com/wp-content/plugins/super-forms/uploads/php/files/9c4f6be34c96fb0e8baef2965afc72b2/bunuboj.pdfIn PDF document text
    • http://104.156.58.56/~web2inbox/wp-content/plugins/formcraft/file-upload/server/content/files/1609d5a5a03efb---25689088403.pdfPDF link annotation
    • https://sipare.com.ar/wp-content/plugins/super-forms/uploads/php/files/793erhdjbj7unqljpb6nj089k2/90126542916.pdfIn PDF document text
    • https://dedywiredja.com/wp-content/plugins/formcraft/file-upload/server/content/files/160dc208b973cd---93801585138.pdfIn PDF document text
    • http://www.gonouvellezelande.com/files/reruvi.pdfIn PDF document text
    • https://k2salight.com/wp-content/plugins/super-forms/uploads/php/files/040fbd0e40f6e14dcddc40ce593c82d0/vezinezatufireposud.pdfIn PDF document text
    • http://suara.ru/img/file/goxilukifop.pdfIn PDF document text
    • https://westcoastmovers.ca/wp-content/plugins/super-forms/uploads/php/files/mr4aphnf054fkd30pabad5fohk/96366830575.pdfIn PDF document text
    • http://duquenne-moteurs.fr/webroot/upload/files/81987137732.pdfIn PDF document text
    • https://emergent-partners.com/wp-content/plugins/formcraft/file-upload/server/content/files/1611360443b426---98679008124.pdfIn PDF document text
    • http://www.neslihanonur.com/wp-content/plugins/super-forms/uploads/php/files/55518c636f01c2f89d53ef097c5d45a8/kuxoparemoxoxipabibunaw.pdfIn PDF document text
    • https://noithatkuongthinh.com/uploads/files/93616293750.pdfIn PDF document text
    • http://stoka-saarlouis.de/userfiles/file/7826859013.pdfIn PDF document text
    • https://www.phoenixdentalacademy.co.uk/wp-content/plugins/super-forms/uploads/php/files/48a9c61684106e716b7e6cf085a1b799/74220458946.pdfIn PDF document text
    • http://www.hptindia.com/wp-content/plugins/formcraft/file-upload/server/content/files/1610e0c5e049b3---pugizelataxanojulubedar.pdfIn PDF document text
    • http://jandebruijn.com/uploadimages/files/vosorejab.pdfIn PDF document text
    • https://www.informacion-indoorclub.com/boletines/img/file/durewuvarusesod.pdfIn PDF document text
    • http://klientskazona.radeton.sk/ckfinder/userfiles/files/23460554911.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000de94.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDE94 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000f6ab.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF6AB 10856 bytes
SHA-256: 78adc1fe92cdae7f110c9cf8c3c165eb3efc5ab176f02b598d4506d74d0b3dd8
font_02_sfnt_off00010fbd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10FBD 18044 bytes
SHA-256: ddf0a1143d4a815d4d2e102c52685a9df321a6d6545f1fa1723c09785abfe013