Malicious PDF — malware analysis report

Static analysis result for SHA-256 78c7e48c9c3edc49…

MALICIOUS

PDF

69.3 KB Created: 2021-04-30 05:52:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b16246d2261bfa3b027773b0246c42d0 SHA-1: 146c7121ab2eeb4ba277399a1d9c73765a4cdb00 SHA-256: 78c7e48c9c3edc4911ac9ed266b8e93e51fd6affb7ee0abd82e2dc9151d0da72
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF file was flagged as malicious by multiple detection engines, including ClamAV and an ML classifier. It contains numerous links pointing to compromised WordPress sites, suggesting an attempt to redirect users to malicious content. The presence of embedded URLs and the nature of the heuristics indicate a phishing or malware distribution campaign, likely initiated via spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9927

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.deadclan.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1606f6f689995e---80396027435.pdf
    • https://husvagnsexpo.se/wp-content/plugins/formcraft/file-upload/server/content/files/16072ce827b5de---58503591576.pdf
    • https://gift-edu.ru/wp-content/plugins/super-forms/uploads/php/files/39b8fb4b3c3d328b16230aa15ca862d3/79258796222.pdf
    • http://www.ncstarim.com.tr/wp-content/plugins/super-forms/uploads/php/files/cd1acnu35tl5mlf5jhv3pfpfe6/gefutogorigoganunatufu.pdf
    • https://notofthisgalaxy.com/wp-content/plugins/super-forms/uploads/php/files/njkc9f070ep23u74huf2ldrpjc/34281015630.pdf
    • http://curry-box-deluxe.de/userfiles/file/gubigoz.pdf
    • http://www.theagentpipeline.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b04c1ca711---37797627898.pdf
    • https://creationstationdance.com/wp-content/plugins/formcraft/file-upload/server/content/files/160816ffb17d4b---josum.pdf
    • http://famcareconnect.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607e47ac0da8f---21066746441.pdf
    • https://reflexlighting.com/wp-content/plugins/super-forms/uploads/php/files/7a55ee205e08be3bbd6d87a0bcda11a7/vebesuxeduvofibefusavon.pdf
    • https://provisionsinternational.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606cd2d347eee---xizewaxusogivugizusibab.pdf
    • https://www.msolartop.cz/wp-content/plugins/formcraft/file-upload/server/content/files/1607513a1549ca---38291084377.pdf
    • https://monuments-msk.ru/wp-content/plugins/super-forms/uploads/php/files/27ca1ef1465d2cfbe773258b439c39dc/65446727304.pdf
    • http://allmedicus.com/userfiles/file/fogazefovosozavogedozo.pdf
    • http://www.shipsupply.co.mz/wp-content/plugins/formcraft/file-upload/server/content/files/160800ab57e1ef---vokulazorugibem.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1xuhb7AK25c/uplcv?utm_term=canadian+heart+and+stroke+acls+guidelines
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ce96.bin
ee5628e4a19d19d739463423cd444ad4d728b58e9b7f521e72d594ca5beb0389		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCE96 5172 bytes
font_01_sfnt_off0000e024.bin
eb1553b3d2b81aa4349583abb0a355c33cb9b21d19dfd544209c3014402eb7a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE024 10408 bytes
font_02_sfnt_off000103ac.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x103AC 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.