Malicious PDF — malware analysis report

Static analysis result for SHA-256 835e986e12281caf…

MALICIOUS

PDF

100.6 KB Created: 2021-08-01 10:55:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14
MD5: 2df5908951eccc11da316619dadf946b SHA-1: 9ba4fe8d9363ecd98dd472024b4b91d53ed793b3 SHA-256: 835e986e12281cafa1fc5bf846e0dcefcdda4146ab8dc5dbc418d1c3592e2fa0
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document was flagged by multiple heuristics as malicious, including a critical ClamAV detection and an ML classifier indicating phishing. It contains a link farm pointing to various domains, many of which appear to be compromised WordPress or disposable hosting sites. The primary purpose seems to be redirecting users through a chain of links, likely to deliver a malicious payload or phish for credentials.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pferdefreunde-brueckenhof.de/sites/default/files/userfiles/file/nukumibamut.pdf In PDF document text
    • https://www.accidentinjuryalbuquerque.com/wp-content/plugins/super-forms/uploads/php/files/b8rrnvf2h4mpn7m7482qehnqs8/zetatijufenixijuzafagiri.pdfIn PDF document text
    • https://branchennachweis.eu/userfiles/file/bojenuwujunizoxidot.pdfIn PDF document text
    • https://sellerflows.com/wp-content/plugins/super-forms/uploads/php/files/9604c2dccf25c135f1134593ff8158cf/82151890030.pdfIn PDF document text
    • https://virtualpulse.eu/UserFiles/file/10013812170.pdfIn PDF document text
    • https://garnet-medical.com/userfiles/files/86664979741.pdfIn PDF document text
    • https://carthink.org/wp-content/plugins/formcraft/file-upload/server/content/files/160f09e1f9ae2c---xijodikemerumefazimumojim.pdfIn PDF document text
    • https://www.mobytec.com.br/mobytec/wp-content/plugins/formcraft/file-upload/server/content/files/160aa00fe48ebd---tafopupovefexebufesokuwol.pdfIn PDF document text
    • http://famcareconnect.org/wp-content/plugins/formcraft/file-upload/server/content/files/160dcd3c2a0395---1356536702.pdfIn PDF document text
    • http://birons.net/wp-content/plugins/super-forms/uploads/php/files/b6f9a5b7c4fa5f6843907afbc2a236e9/niwawukofegilumisate.pdfIn PDF document text
    • http://3sdent.com/upload/files/gawipitikuvotewimele.pdfIn PDF document text
    • https://mojer.bg/files/53436132008.pdfIn PDF document text
    • https://www.elementstraining.co.uk/wp-content/plugins/super-forms/uploads/php/files/lq4khl35n9upvhrr84nv3nnvuj/bodivuvo.pdfIn PDF document text
    • http://global-poseg.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606cba2616c9a---fipiwiwotelebimilawaja.pdfIn PDF document text
    • http://structurecreative.com/wp-content/plugins/formcraft/file-upload/server/content/files/160abe5443a457---zenatawusezazutenoji.pdfIn PDF document text
    • http://timelessmebel.ru/wp-content/plugins/super-forms/uploads/php/files/b531e6850e72944bf45f656b4b5e5aef/62170181168.pdfIn PDF document text
    • http://gps-ambroisie.com/ressource/site-image/files/dawubulolixizuxiki.pdfIn PDF document text
    • http://thm-holding.ru/wp-content/plugins/super-forms/uploads/php/files/bf1dc76ddbb6c6d8ecc67829a50a5012/24902970579.pdfIn PDF document text
    • http://www.mearesandassociatesllc.com/siteuploads/editorimg/file/texoxesixa.pdfIn PDF document text
    • https://bokseinstituttet.dk/wp-content/plugins/formcraft/file-upload/server/content/files/160f07b2d59212---wimukagimavitowodufove.pdfIn PDF document text
    • http://inspiredindianfoundation.org/uploads/sisutezibasuza.pdfIn PDF document text
    • http://change4best.ru/upload/file/86720617766.pdfIn PDF document text
    • https://esteticarcare.com/wp-content/plugins/super-forms/uploads/php/files/3b1e6e98ac6b3c6b86e31030487f4eba/57963042042.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/A3Ryygt5BCM/uplcv?utm_term=e+okul+notu+de%C4%9Fi%C5%9Ftirme+koduPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off00013576.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x13576 29568 bytes
SHA-256: 54d47b597c93f1d287f3a602caa7929ae82df300a8c685b5a4ce32b47af76a91
font_00_sfnt_off0000eed3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEED3 17544 bytes
SHA-256: 0942471e1c12acf5d311c1a06b864c59762cbb33401d038a7d6060d248888371
font_01_sfnt_off00011d18.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11D18 10732 bytes
SHA-256: 129d052e5179e1c8857c71fff674ba98b91da6fd6f260513e8c590ade07855ee
font_03_sfnt_off00016a19.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16A19 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.