Malicious PDF — malware analysis report

Static analysis result for SHA-256 7ff10a5d0e579a54…

MALICIOUS

PDF

85.9 KB Created: 2021-07-06 16:32:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26
MD5: 98bc2f1d9ec02aa31f2cc6dbd517827f SHA-1: 33fefc1f5e11a7d707368d343de53493cc4628b2 SHA-256: 7ff10a5d0e579a54dd261a0a6320fcc5ee53401bcb385ece57f7fcb00b9ee77b
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains numerous links pointing to compromised WordPress sites, indicating a phishing or malware distribution attempt. The ClamAV detection and ML classifier strongly suggest malicious intent. While no scripts were directly extracted, the structure and numerous external links are indicative of a malicious PDF designed to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9942

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mgmkt.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160e082b5f3107---85262086176.pdf In PDF document text
    • http://triumphtoday.org/wp-content/plugins/formcraft/file-upload/server/content/files/160bc00597e06d---50197760373.pdfIn PDF document text
    • http://www.ddd-iasi.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160af7a8b3ab1d---72365830905.pdfIn PDF document text
    • https://vydavatelstvoklett.sk/userfiles/file/liwazupiwifo.pdfIn PDF document text
    • https://www.superioreagle.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ab5fcc30437---sebaru.pdfIn PDF document text
    • https://angelsstaff.com/uploads/file/xewuset.pdfIn PDF document text
    • https://georgiamusicpartners.org/wp-content/plugins/super-forms/uploads/php/files/faa128995430419b0464a23d917fafcd/ruxidatas.pdfIn PDF document text
    • http://canyonoaksmtg.com/~duckdi5/canyonoaksmtg.com/content/file/vuloraluwefigelujoxog.pdfIn PDF document text
    • https://www.wikiwebagency.it/wp-content/plugins/super-forms/uploads/php/files/739bac6aee1c19e83838f56c9062cab1/rodewatozegovitebuk.pdfIn PDF document text
    • https://brokenspoke.com/wp-content/plugins/super-forms/uploads/php/files/5592211cf78a51f0c1d67c20a5571554/34789348439.pdfIn PDF document text
    • https://thegioibaobicarton.com/Images_upload/files/donelofuwufododipawexavu.pdfIn PDF document text
    • http://principessavencanice.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b9ddbfe5b93---zefejerilab.pdfIn PDF document text
    • https://tfnd.org/wp-content/plugins/super-forms/uploads/php/files/f495f6bc0cb7a7d52fe5a614d1f5d679/87735384690.pdfIn PDF document text
    • https://bayardplaza.co.uk/wp-content/plugins/super-forms/uploads/php/files/5r4082iog411rnq7cio6hrbn18/numepinabidir.pdfIn PDF document text
    • https://stefandes.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e1a4f32ada---78798373390.pdfIn PDF document text
    • http://espacioschillout.es/images/admin/file/kufajapupamuwuvevisevop.pdfIn PDF document text
    • https://empylean.com/wp-content/plugins/super-forms/uploads/php/files/rnt7lp56jbhar6soks5gftj7e6/85839504218.pdfIn PDF document text
    • http://ednak.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607bab36bd2ab---tatofut.pdfIn PDF document text
    • https://aprilboya.com/userfiles/file/15820605920.pdfIn PDF document text
    • http://lichnyiybrand.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160dd7ca16af61---vekulizikepoxewonek.pdfIn PDF document text
    • http://www.viksexteriors.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d072e433df6---ketijefomazix.pdfIn PDF document text
    • http://www.sunarnuricomuisvealisverismerkezi.com/wp-content/plugins/super-forms/uploads/php/files/4b9fe3sokorqgnsghosrb6k7o0/kunewulijuk.pdfIn PDF document text
    • https://neavocats.com/wp-content/plugins/super-forms/uploads/php/files/b8de54080eb4afceea26963e1b8a4545/94896055560.pdfIn PDF document text
    • https://fitnessrev.net/wp-content/plugins/super-forms/uploads/php/files/brohvtb1a7ardapl19tmfsldp4/83302810620.pdfIn PDF document text
    • http://gildiamasterov.ru/userfiles/file/24501058646.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/Om9ozkHLxGw/uplcv?utm_term=pertussis+in+infantsPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef8a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEF8A 10144 bytes
SHA-256: 5b1833ef3fdf9687aac0ec146ccdada1434ac790f55440f3dff1e06ae81f4984
font_01_sfnt_off0001065d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1065D 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00011e6f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11E6F 16952 bytes
SHA-256: c60c4831d49dc468dcbdc7c983e5da14d39bbde364d000e11702843f43b66675

Open this report in the interactive analyzer, or submit your own file for analysis.