Malicious PDF — malware analysis report

Static analysis result for SHA-256 830cd2534ba3313b…

MALICIOUS

PDF

76.2 KB Created: 2021-06-22 17:43:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: 3d82af48dfd017007f66fa591abf08c1 SHA-1: 98eb5ab3b6bc8518bf2faea4a8d8535a2876aa95 SHA-256: 830cd2534ba3313bc738f87ef0919a642450392830901be4615f5215ea31889d
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was flagged by multiple heuristics and a machine learning classifier as malicious, with ClamAV identifying it as Pdf.Phishing.Trojan. The document body and embedded URLs suggest a phishing lure related to online pharmacies, directing users to compromised websites. The presence of numerous links to potentially compromised CMS upload storage further supports a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pfgmm.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160792659600f3---jozasumefegemekokepiwe.pdf In PDF document text
    • https://apparel.allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/61e1265fbaf236a0f9606457a98a01de/71453695272.pdfIn PDF document text
    • https://betenenergy.com/sites/default/files/file/9459611350.pdfIn PDF document text
    • https://hafa-verein.de/wp-content/plugins/super-forms/uploads/php/files/53e31840e338cdfc91f46e37d639e1a2/kedepukatowikadobip.pdfIn PDF document text
    • https://travels-ukraine.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b6c21a5cd1---85442614790.pdfIn PDF document text
    • http://ipjanah.ir/wp-content/plugins/super-forms/uploads/php/files/q37rhu9ja6tofjkd8b6nl7rmq6/fobepezirabi.pdfIn PDF document text
    • http://thedewakohchang.com/image/upload/File/8607653502.pdfIn PDF document text
    • http://sip7.online/wp-content/plugins/super-forms/uploads/php/files/800ded001bd6f6a002904f9cf6b2aab0/zuxoborigovifugegew.pdfIn PDF document text
    • http://jevades.com/aircraft/fckimages/file/65498390384.pdfIn PDF document text
    • https://candbco.com/ckfinder/userfiles/files/91810143023.pdfIn PDF document text
    • https://fuchscars.com/wp-content/plugins/super-forms/uploads/php/files/f305a0e113b3c08d9e2bd3126825efea/52768815492.pdfIn PDF document text
    • https://advantagelic.com/singhania/downloads/file/21396311237.pdfIn PDF document text
    • https://comodee.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b87197e67e6---gavunanepateromagejip.pdfIn PDF document text
    • https://siyata.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/160767e87711fa---zojixij.pdfIn PDF document text
    • http://www.rebranded.tv/wp-content/plugins/formcraft/file-upload/server/content/files/1608948e9429bc---mulidupuj.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/ngfLrbzwjls/uplcv?utm_term=best+place+to+buy+viagra+online+yahoo+answersPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e604.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE604 5640 bytes
SHA-256: cf13eea3f840879303688a766627fd06d5da26cbd9a58e930d645eb59367c070
font_01_sfnt_off0000f94a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF94A 13508 bytes
SHA-256: d62cf9a8c9ce6813eeb0c23dbb4958c883639d639277afea385571691584f10c