Malicious PDF — malware analysis report

Static analysis result for SHA-256 8035948e1e735bb3…

MALICIOUS

PDF

112.0 KB Created: 2021-08-13 08:04:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: daae2eb75ef16c15b3b871ead42772bb SHA-1: e4559b1b1cf9466d20204efd0b8be3af87bedc98 SHA-256: 8035948e1e735bb39f653d305a401fcc2fdb7b808bf85cc49071791f12a805aa
196 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment

This PDF document was flagged by ML classifiers and ClamAV as malicious, indicating a phishing or trojan distribution attempt. The heuristic 'SE_CLIPBOARD_COMMAND_LURE' strongly suggests the document instructs the user to copy and paste commands into a shell, a common technique for executing second-stage payloads. The numerous extracted URLs, many hosted on compromised WordPress sites or disposable domains, likely serve as download locations for these payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9909

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://garglob.ru/uplcv?utm_term=mpl_toolkits.basemap+python+install PDF link annotation
    • http://lignumweb.com/site/webroot/uploads/files/69797797760.pdfIn PDF document text
    • http://foto-video.ch/userfiles/files/majonufogunepavak.pdfIn PDF document text
    • https://www.psk.com.au/application/third_party/ckfinder/userfiles/files/likeneji.pdfIn PDF document text
    • https://avigailpekelman.com/sites/default/files/file/vefobosunafi.pdfIn PDF document text
    • http://chocolatycakes.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a86d3a60042---xojawuzizuvawozod.pdfIn PDF document text
    • http://bluecars.pl/userfiles/file/24950699132.pdfIn PDF document text
    • https://www.marthatrotts.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16071bcf00aa5e---gufuxokapojuzudo.pdfIn PDF document text
    • https://stdtekstil.com/upload/ckfinder/files/37778838678.pdfIn PDF document text
    • https://ecef-groupe.com/wp-content/plugins/super-forms/uploads/php/files/s34g362rkrjsqqmivjvd60bh43/19024480106.pdfIn PDF document text
    • https://www.alphaveneers.com/wp-content/plugins/super-forms/uploads/php/files/fcd46beef3ad182042760712b5ffe198/94517552283.pdfIn PDF document text
    • https://radmangroup-ye.com/rgfiles/file/vozejomagogukurufi.pdfIn PDF document text
    • https://udachi.co.th/wp-content/plugins/super-forms/uploads/php/files/gadfgqe5tvn9ohc36bvtgfupub/ladoruvonabej.pdfIn PDF document text
    • https://completecollegestrategies.com/wp-content/plugins/super-forms/uploads/php/files/2f2ac3d8f85005b677711d359e591d11/patop.pdfIn PDF document text
    • http://for-rent-leuven.com/wp-content/plugins/formcraft/file-upload/server/content/files/160afbfeab1aa4---54895073689.pdfIn PDF document text
    • http://hanasushi6.com/uploads/files/tiberunojiti.pdfIn PDF document text
    • http://velisend.ru/photos/file/15973398829.pdfIn PDF document text
    • http://bukharaatlanta.com/sites/default/files/file/69010665522.pdfIn PDF document text
    • https://elitteaccesorios.com/wp-content/plugins/super-forms/uploads/php/files/bfgouip4ftkbs7op1pteqs6t7g/xinovekijinitodobapuzituj.pdfIn PDF document text
    • https://www.caesarstravel.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b19c58dd704---xufaneromujawotenu.pdfIn PDF document text
    • https://callhfelectric.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072d3c9cdd0f---1738586544.pdfIn PDF document text
    • http://nuyewrecruitment.com/wp-content/plugins/super-forms/uploads/php/files/7fb7b05783d49458967de04f72e63641/lotekupegarotawe.pdfIn PDF document text
    • http://emusicmarket.com/upfile/board/files/xuxesobizefomifefifuvujox.pdfIn PDF document text
    • http://indagosrl.it/userfiles/files/48990987672.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • https://www.cnblogs.com/yinux/articles/12329933.htmlIn PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d5c8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD5C8 47120 bytes
SHA-256: 6df1cf7f3b0d38e8fa4debe8e7ba77a5af1cda5b1eebdcb3ba2cfdb9f015c237
font_01_sfnt_off00015002.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15002 17808 bytes
SHA-256: 1425c67764673c7e8be352d96b899a54c6f19ca8aea30f40a8e72d4d54d2585d
font_02_sfnt_off00017f1c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17F1C 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_03_sfnt_off00019733.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19733 10852 bytes
SHA-256: 3d6ad5bf3da6305afdcd2bd213d94d0919a72faf2514d9926a39e0dfc57770af

Open this report in the interactive analyzer, or submit your own file for analysis.