Malicious PDF — malware analysis report

Static analysis result for SHA-256 7e049914b3ccd240…

MALICIOUS

PDF

174.9 KB Created: 2021-06-26 20:49:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 26962707d5fee347b3155635e3628371 SHA-1: 68926f6d00465e0ed5756d8ec898c80cf4116f01 SHA-256: 7e049914b3ccd2409c15fb0f7988d020fbe5b800a9ec33a3b7209eb0950196f4
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded URLs, many of which point to compromised WordPress sites and are structured as link farms. The ClamAV detection and ML classifier strongly indicate malicious intent, likely for phishing or malware distribution. While no scripts were explicitly extracted, the PDF structure and URL patterns are consistent with techniques used to lure victims to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9789

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://asbufestival.com/uploads/FCK_files/file/xorib.pdf
    • https://blueridgelightingandcontrols.com/wp-content/plugins/super-forms/uploads/php/files/322eae93c0706bded82c61110278ed14/3701648795.pdf
    • https://ambientltg.com/wp-content/plugins/super-forms/uploads/php/files/49bffedf5350977cab2435c408723f22/vijupesunumarugoponimos.pdf
    • http://bethtikvahevents.ca/clients/2/20/20a91c0cb94b02964b0d1c5d980f1596/File/punewu.pdf
    • http://ateliergermain.net/sites/default/files/file/75645700832.pdf
    • https://cbolean.com/wp-content/plugins/super-forms/uploads/php/files/70f62grl1nlp5qa6lp2m1q19h1/34211729088.pdf
    • http://www.oschouston.com/osc/wp-content/plugins/formcraft/file-upload/server/content/files/1606cb43bb70e6---runutiduwesezajijizezol.pdf
    • http://pulsrmedia.com/wp-content/plugins/formcraft/file-upload/server/content/files/16076f8c4c2a15---86409896717.pdf
    • https://levin-dent.ru/wp-content/plugins/super-forms/uploads/php/files/33b920e63fba116b7afa0314089bfb89/mifagogebudufelobug.pdf
    • http://fantasypartyentertainment.com/wp-content/plugins/formcraft/file-upload/server/content/files/16096f54fd022e---gamiwigakirafam.pdf
    • https://www.brightfieldbusinesshub.co.uk/wp-content/plugins/super-forms/uploads/php/files/7ss5o06rnvscebda40o4k1o3g1/vunebaruwiwu.pdf
    • https://alcc.vn/wp-content/plugins/super-forms/uploads/php/files/892lapv9svo98699n1q86k78ov/wekuwazipexoxezidadej.pdf
    • http://comp-art.ru/userfiles/file/59293141532.pdf
    • http://geology.ie/wp-content/plugins/formcraft/file-upload/server/content/files/160bf8bbf0eef1---37712425023.pdf
    • https://arizonapoolcontractor.com/wp-content/plugins/formcraft/file-upload/server/content/files/16086b87db11e2---35256864950.pdf
    • http://akinmedikal.com/uploads/file/rajafibipuv.pdf
    • http://www.peopleoftheheath.com/wp-content/plugins/formcraft/file-upload/server/content/files/160729724d9495---wuvatagozefilukavebesel.pdf
    • http://www.oschouston.com/osc/wp-content/plugins/formcraft/file-upload/server/content/files/1607314d29b6a9---nilegogasejegomazibilu.pdf
    • https://thewentworthco.com/wp-content/plugins/super-forms/uploads/php/files/a40gfd3pasl59ffrvvtjt7u5bp/34354074900.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/6naE_Nh8_CY/uplcv?utm_term=titles+of+nobility
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00025263.bin
01d874798fbf9d949565c0c82bb021f14a2cda282019bc0768fb05c118e7ef01		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x25263 24168 bytes
font_00_sfnt_off0001e65b.bin
78b93401f5f1a8b6ca3cfaeca9c0752606562aa3f79289d2273a9a1faa5a1424		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E65B 38376 bytes
font_01_sfnt_off00023a52.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23A52 16792 bytes
font_03_sfnt_off00027b38.bin
8ec83a3b1462116ab352a99ecfbcd221035f298c3e26a9caf0498149aa4e7675		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27B38 8528 bytes
font_04_sfnt_off00029682.bin
47bab86d918de04e38f1867ee4cd80e4c3e6e543797d766cd7b6b6dff1d860a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x29682 10160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.