Malicious PDF — malware analysis report

Static analysis result for SHA-256 79df28d68584710b…

MALICIOUS

PDF

79.7 KB Created: 2021-06-10 21:59:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 17ea3661f69766c9c344ec652b01ecd4 SHA-1: cb71fa3d6fc51a6810555cd59872427851fe92f9 SHA-256: 79df28d68584710bc287001846715a222cf7175bf5a7daeefa2b0bc78de2e12a
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. The document contains numerous links pointing to compromised WordPress sites, indicating a link farm designed to redirect users to malicious content. The presence of external URIs and link farms suggests an attempt to distribute phishing content or malware, likely initiated via a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://laborke.ru/uplcv?utm_term=insurgent+watch+online+123movies
    • http://pocatellocampfire.com/wp-content/plugins/super-forms/uploads/php/files/jnap1q7rkld18a6k5vdphmvauo/44085322815.pdf
    • https://xn----7sbbjg7ctfs.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/5ac9deffffb552f07b370d86ca5fbd39/gubimofavefilopisalog.pdf
    • http://raunlarose.us/wp-content/plugins/formcraft/file-upload/server/content/files/16082f1f84bac5---62605065849.pdf
    • https://adbetelparaguay.com/wp-content/plugins/super-forms/uploads/php/files/7fb5a5965e78a09fdc6deebb0c2bd326/46209810050.pdf
    • http://www.northeastmarquees.com/wp-content/plugins/super-forms/uploads/php/files/b48947ea3cabbe76c8c1a5d9c9e1e80c/kabepaxupanukanimosezu.pdf
    • http://augustaelectricalwork.com/editorData/file/63785751753.pdf
    • http://mgmkt.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607787e18ea2e---xovapebigesodevag.pdf
    • https://olmitek.by/wp-content/plugins/super-forms/uploads/php/files/0j6kknnpb1ntpm7b9r04upvf76/xikodawanenevuwum.pdf
    • https://aplusadvance.com/naver_editor/data/file/11704600942.pdf
    • https://www.dolphinrfid.com/wp-content/plugins/formcraft/file-upload/server/content/files/16084ca1162997---90562416150.pdf
    • http://agataklimowska.pl/userfiles/file/zazobovizunatukozabiloke.pdf
    • http://studiobaliva.eu/userfiles/files/99700576649.pdf
    • http://studiogallerani.it/userfiles/files/97538488092.pdf
    • http://www.ashtralmedia.com/wp-content/plugins/formcraft/file-upload/server/content/files/16075ed4a10348---89920561679.pdf
    • https://uniqrelation.com/userfiles/file/83631109724.pdf
    • https://sarujiovalente.com/wp-content/plugins/super-forms/uploads/php/files/pid6cctge1k1m0bacj1ggt489s/lujezivozopog.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f62e.bin
4cd10a720a756d524ab7423b05028727b7ed316d41126e2bb087e9a362b93b09		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF62E 5648 bytes
font_01_sfnt_off0001095b.bin
17e6b30492b5d6785af36cee28e3d703ceea3f15d6e3b2ad1bce94c118b5bfbd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1095B 11476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.