Malicious PDF — malware analysis report

Static analysis result for SHA-256 825472b10150c992…

MALICIOUS

PDF

87.8 KB Created: 2021-06-23 17:51:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5a6ef8c044e3e6a54f25ce9ae46b5968 SHA-1: 8385d4196db76a68118f20c63b115055fdda85ef SHA-256: 825472b10150c9927259ef4d68e371902d2ba1703a24418ee3a87a9e7ff5d3d2
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous links, many hosted on compromised WordPress sites, directing users to external URLs. The document body, though heavily obfuscated, suggests a lure related to 'Java code to reduce pdf file size', likely a pretext to drive traffic to these malicious sites. No scripts were extracted, but the overall structure and URL distribution point towards a phishing or redirection campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://chcial.ru/uplcv?utm_term=java+code+to+reduce+pdf+file+size
    • http://bezpieczna-strefa.pl/wp-content/plugins/super-forms/uploads/php/files/a617203956fc91d1009fdd4b81ac2c43/rulomodij.pdf
    • https://www.olympusnorge.no/wp-content/plugins/super-forms/uploads/php/files/3nff2n58jfo29ipic928quo3dh/99095016416.pdf
    • http://ejmk.com/ej/upload/files/76115381942.pdf
    • http://www.marsagri.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608a341fb03a7---zukevikifojadojiv.pdf
    • https://sakitonus.ru/wp-content/plugins/super-forms/uploads/php/files/deeeb6a99e24f8d49329cfaaaf13d8f0/parofano.pdf
    • http://www.homefacelifters.com/wp-content/plugins/super-forms/uploads/php/files/fea12c7bb32ead4e25ef3ebcb25b01db/zemifurimuriwogivon.pdf
    • http://sevimticaret.net/userfiles/file/99160514843.pdf
    • https://www.jahnigterbraak.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16076eece2603b---42994862724.pdf
    • https://stillwaiting.org/userfiles/file/rixusitamubipa.pdf
    • http://www.photobreak.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160bc974f871ad---pukikuxexuropolu.pdf
    • https://antoinepanau.com/wp-content/plugins/super-forms/uploads/php/files/fbde7b0f72141b5d19f36c32cec772f1/zumimupofupewapokuxini.pdf
    • https://daismene.it/file/pokama.pdf
    • https://skazkavdom.com/wp-content/plugins/super-forms/uploads/php/files/f1a8f79ce720396a4a823d86fd9be5a2/25921556895.pdf
    • http://www.tenniscanberra.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1609ecf14ac087---18455255008.pdf
    • http://modern-pro.ru/files/file/voripejaraxafo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011668.bin
4c008f7fee71b6ce8e1a30c857c3f52e28b75220f32980f372d04a562b0e67a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11668 5248 bytes
font_01_sfnt_off00012864.bin
a61e1924f57d2640115265da6a8e99822a0598b6edf42915849dc951a236fa3c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12864 12300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.