Malicious PDF — malware analysis report

Static analysis result for SHA-256 7fd1849ab81ce25a…

MALICIOUS

PDF

82.1 KB Created: 2021-09-16 04:04:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 36d213d11f3999e81b80e8a322745684 SHA-1: dca7af69f4fa84bb7718b1f6a4b8b04ac1238244 SHA-256: 7fd1849ab81ce25a9bc06ab4d5b0261ef9095e4ec704ac043478ab08073726a6
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains an embedded JavaScript stream and numerous external URIs, many of which point to compromised WordPress sites or are part of a link farm hosted on disposable domains. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or distributing further malware. The embedded JavaScript is a common technique for executing malicious code within PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nomylo.ru/uplcv?utm_term=latest+movie+streaming+sites
    • http://jd6618.com/jd6618/file/2021-9/file/LwpCms2021_09_10_08_38_49_3871.pdf
    • http://knx-shop.ru/admin/ckfinder/userfiles/files/vekegazugupegipasalij.pdf
    • http://lifeline-sports.com/files/file/fikamazoxo.pdf
    • http://www.its-dph.cz/admin/fckeditor/editor/userfiles/file/niroxagukapub.pdf
    • http://sireny.net/share/files/zegebabefinozi.pdf
    • http://7seapharmtech.com/Uploadfiles/files/dasul.pdf
    • https://hilanguage-com-tw.triangle-design.com/files/ropumutexuretidovivonukes.pdf
    • http://residencecarlofelice.com/userfiles/files/649804181.pdf
    • https://feldmann.pl/userfiles/file/48713318032.pdf
    • http://pulsarvn.com/media/ftp/file/vurikuxegasijuju.pdf
    • https://073741256.com/uploads/files/202109151623147189.pdf
    • http://www.combatsim.eu/wp-content/plugins/formcraft/file-upload/server/content/files/1612f4efbe7471---14313310415.pdf
    • http://www.hotel-margherita.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613b0fc0c48e2---rovidowolitedowe.pdf
    • https://cebrium.ssnn.ro/images/43026926200.pdf
    • http://www.iamgoingto1996.com/wp-content/plugins/formcraft/file-upload/server/content/files/161353f3e8c85f---29470174077.pdf
    • https://sealordhotels.com/ckfinder/userfiles/files/41972063241.pdf
    • https://www.saenger-ohg.de/wp-content/plugins/formcraft/file-upload/server/content/files/1613f1e14cedf7---gosefewutozisemawo.pdf
    • https://toolsatool.com/userfiles/files/44283749791.pdf
    • http://steffis-strassladen.de/userfiles/file/fabujorakamavunij.pdf
    • http://jysfh.com/upload_fck/file/2021-9-14/20210914094440761164.pdf
    • http://www.artefuoricentro.it/js/lib/ckfinder/userfiles/files/65146580911.pdf
    • http://thietkewebbacninh.com/webroot/img/files/gugosuzofef.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df18.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF18 16792 bytes
font_01_sfnt_off0000f72a.bin
e76f7ab507fdcea9d7a9cf6724208471029dc80ce120cb8ef589d813f035725a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF72A 17064 bytes
font_02_sfnt_off00012366.bin
befdd23369ad33fe9297801da33d587d279cfa5a86882546bc3e562fb23bc030		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12366 10428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.