Malicious PDF — malware analysis report

Static analysis result for SHA-256 83b63be4a1850c50…

MALICIOUS

PDF

90.8 KB Created: 2021-07-29 19:35:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-04
MD5: 67c16c5ca45f1eb586c75c4fe92d822a SHA-1: b652f2ef02dee771b8aaa53f017e3ad1232b014f SHA-256: 83b63be4a1850c50e04125a3ce15846f1df8960c38359cc1984d4b740064b92c
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm, many hosted on compromised CMS upload directories and presents a deceptive download button. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9973

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.truegridpaver.com/wp-content/plugins/super-forms/uploads/php/files/e181daa2fa83ae47a0c248498207e6d6/50620569404.pdf In PDF document text
    • http://sahrugs.com/userfiles/file/33953285493.pdfIn PDF document text
    • https://klcmekatronik.com/ckfinder/userfiles/files/40500512383.pdfIn PDF document text
    • https://imapcb.org/wp-content/plugins/super-forms/uploads/php/files/1a01574c27e844e5e2c9ad5672bf4b50/69894293325.pdfIn PDF document text
    • https://jamurgoreng.net/contents//files/6998934265.pdfIn PDF document text
    • http://xn--o79av69abka850ab6c.com/upload/file/202106111412282496.pdfIn PDF document text
    • http://sts-logistika.ru/wp-content/plugins/super-forms/uploads/php/files/3b2a67a405cef55fd5c482e65b80f7d2/72052040320.pdfIn PDF document text
    • https://www.frankcapassoandsons.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b10b186f243---64713620745.pdfIn PDF document text
    • https://sce.tw/uploads/files/60fb950ab948b.pdfIn PDF document text
    • https://classykitchen.pl/web/uploads/files/pefaxiwakodujevab.pdfIn PDF document text
    • http://worksafeorg.com/wp-content/plugins/super-forms/uploads/php/files/63o43i72hbdh69ut5otnplr9a0/45128319456.pdfIn PDF document text
    • https://tlpnw.com/wp-content/plugins/super-forms/uploads/php/files/228cd7d6a7bc6b9815787585be5c55bc/vurojilotozuposizudewi.pdfIn PDF document text
    • http://hellnocancershow.com/wp-content/plugins/formcraft/file-upload/server/content/files/16086724f37797---65093593408.pdfIn PDF document text
    • https://likeevent.it/writable/public/userfiles/file/60512596652.pdfIn PDF document text
    • http://soluzionebenessere.eu/userfiles/files/vakun.pdfIn PDF document text
    • https://alternativecarrepair.com/userfiles/file/tamekifita.pdfIn PDF document text
    • https://www.hospedeagora.com.br/wp-content/plugins/super-forms/uploads/php/files/22t28dcf2p4tdkuqf3drlnrnok/63595723431.pdfIn PDF document text
    • https://www.hintonassociates.com/wp-content/plugins/super-forms/uploads/php/files/ec3acc9e617529e5137d1282f9d768c5/wifivilosojakefinilupo.pdfIn PDF document text
    • https://www.hontoys.com.au/wp-content/plugins/super-forms/uploads/php/files/2ku1kj4auaem6r7cd7sevqfmje/15438627744.pdfIn PDF document text
    • https://www.tifdip.com/wp-content/plugins/formcraft/file-upload/server/content/files/16086b87fceaab---916596481.pdfIn PDF document text
    • https://xn--80aaijz0c.xn--p1ai/ckfinder/userfiles/files/kexebajamip.pdfIn PDF document text
    • http://beachfirebrands.com/userfiles/file/kudaje.pdfIn PDF document text
    • https://festival-bg.com/media/ckuploads/files/babuludirutawuzujetosilok.pdfIn PDF document text
    • http://www.hollyskauaicondo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160f553ae9c120---34260395115.pdfIn PDF document text
    • http://www.aadhar-interior.com/userfiles/file/16315058968.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/GLLx1DTH0VQ/uplcv?utm_term=dc+voltage+drop+calculator+excelPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001020a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1020A 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off00011a1c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11A1C 16712 bytes
SHA-256: ea5497421d1f7c7cc1554f46d5df6ecc9bb2838e4901629445b581deb599e9bd
font_02_sfnt_off0001452a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1452A 10596 bytes
SHA-256: d81e4c56583735438e3b618d6703b5cbe978c2f9e5c4f2ef91ef873c35bb6af1