Malicious PDF — malware analysis report

Static analysis result for SHA-256 7dd307fc8618d0a4…

MALICIOUS

PDF

78.5 KB Created: 2021-07-05 23:18:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-14
MD5: 601a8d9d58ae080083f4622b0377068e SHA-1: b5de3f357de44f78ca77794c9253b9e02ef23039 SHA-256: 7dd307fc8618d0a44f35d783c5d24b639d49c2aff07c3a2c1c60db7e310ea0d5
216 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous links to external URLs, many hosted on compromised WordPress sites, suggesting an attempt to distribute malicious content. The 'SE_CALLBACK_LURE' heuristic indicates the document may prompt the user to call a number, a common tactic in phishing or tech-support scams. Although no scripts were explicitly extracted, the presence of PDF_URI and PDF_RANDOM_URL_LINK heuristics, along with the ClamAV detection, strongly suggests a phishing or trojan distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://coretry.ru/uplcv?utm_term=types+of+substantive+analytical+procedures PDF link annotation
    • http://kondicionery-vidnoe.ru/upload_picture/file/sifibidixomawiw.pdfIn PDF document text
    • http://www.consorcio.edu.pe/wp-content/plugins/formcraft/file-upload/server/content/files/160902a7dda11f---fapomide.pdfIn PDF document text
    • https://www.idromeccanicasrl.com/idromeccanicasrl.com/wp-content/plugins/super-forms/uploads/php/files/f5d4d064b3cfe98fa4f1c7466a995788/7724123569.pdfIn PDF document text
    • https://www.espymetcalf.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a1d47051cf6---53525003472.pdfIn PDF document text
    • http://e-kva.ru/admin/ckfinder/userfiles/files/tilusepaborulimef.pdfIn PDF document text
    • http://doublehappyvstheinfinitesadness.com/wp-content/plugins/formcraft/file-upload/server/content/files/16088586782a27---50620168333.pdfIn PDF document text
    • http://happyhanool.com/ckupload/files/jejamateriz.pdfIn PDF document text
    • https://www.costaverde.it/wp-content/plugins/formcraft/file-upload/server/content/files/160c6af0375488---binilobopikora.pdfIn PDF document text
    • https://markzone.az/wp-content/plugins/super-forms/uploads/php/files/97ij658ugdojtdht8vdmao72p3/farapifilivafaw.pdfIn PDF document text
    • http://maslag.eu/userfiles/file/wunadunabadepanadu.pdfIn PDF document text
    • http://heilpraxis-pankow.de/wp-content/plugins/formcraft/file-upload/server/content/files/1609448354a6c7---38085585309.pdfIn PDF document text
    • http://masonfamilyreunion.org/clients/b/bd/bdaf0a3c19eb5f10f0519c747c117e37/File/masezekepusujubag.pdfIn PDF document text
    • https://www.democratum.com/wp-content/plugins/super-forms/uploads/php/files/bf20d0c3cafe71b079ec9ec6d7a32dc6/7868351102.pdfIn PDF document text
    • http://asu.com.vn/wp-content/plugins/super-forms/uploads/php/files/cdploqq95rnihnmo7q5gesbso6/24754583348.pdfIn PDF document text
    • https://www.davidwoodpersonnel.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c4b8987e89a---91752420501.pdfIn PDF document text
    • http://dtcguild.org/clients/80367/File/62590454406.pdfIn PDF document text
    • http://schokobrunnen.com/idata/bilupevewapuvefifozesew.pdfIn PDF document text
    • https://lashmakerpro.it/wp-content/plugins/super-forms/uploads/php/files/5g6kphj70qj5p202mtb3ioc6r7/maxugujididu.pdfIn PDF document text
    • http://liveranigioielli.it/userfiles/files/94763297827.pdfIn PDF document text
    • https://www.ciabrini-immobilier.com/wp-content/plugins/super-forms/uploads/php/files/n3kp7d1k8u03mgr0t98bhruudo/falebegaxuwego.pdfIn PDF document text
    • https://alphacleanwashing.com/wp-content/plugins/super-forms/uploads/php/files/4794223028536bc168941d1254ab438d/femesovukazux.pdfIn PDF document text
    • http://www.nationaalgolfcongres.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160b1654c3b26e---tidodowux.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cf06.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCF06 10996 bytes
SHA-256: fab5b50249a90e5d2aaf287ff038b43fd2aa4bceda107dca2852c3dfe2658f1b
font_01_sfnt_off0000e88c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE88C 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off0001009e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1009E 16252 bytes
SHA-256: 3af54b44df2dc38049bbb6844f79875873966a25b1fad03a024f379875662936

Open this report in the interactive analyzer, or submit your own file for analysis.