Malicious PDF — malware analysis report

Static analysis result for SHA-256 83e356a0aa683b76…

MALICIOUS

PDF

115.5 KB Created: 2021-06-26 19:44:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: f4ced43f1d86c6a5775010c21e404380 SHA-1: 34f59ac8d519ea1519bbf5efb5fe959b3f798948 SHA-256: 83e356a0aa683b7641aa6c6959c3c4b9a1a1dbdddb860135efe9d7507886743f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF was flagged by ClamAV as Pdf.Phishing.Trojan and by an ML classifier as malicious. It functions as a link farm, containing numerous URLs pointing to compromised CMS upload directories and disposable hosting, likely to distribute further malicious content or phish users. The presence of multiple external URIs and a link farm structure indicates a malicious intent to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9885

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://studiorampinelli.com/file/deririjokefufemerabemobo.pdf
    • https://www.mclarenpress.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607372793e1f5---wugadijowixu.pdf
    • https://studiogreenwich.ru/wp-content/plugins/super-forms/uploads/php/files/ea0be53c098c062686dba94ac7b5b5d6/74998678876.pdf
    • http://foire-fromages-et-vins.com/wp-content/plugins/formcraft/file-upload/server/content/files/160741172d1dd3---19319409113.pdf
    • http://2girlstrippin.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c2410beee88---muzuwazemim.pdf
    • http://dmn.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1607bbbf21e363---sajupibowemudinuwun.pdf
    • https://elitestrategyglobal.com/wp-content/plugins/super-forms/uploads/php/files/163caa156732d11353d55ec1f3dfed5f/24020039266.pdf
    • https://baconbites.com/wp-content/plugins/super-forms/uploads/php/files/jrnjs8um7t8bo1lnlooeae7k05/tuseziregikewitakeral.pdf
    • https://www.diktu.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a92e65c05cc---nakipagabunowamilararuz.pdf
    • http://itaindustrial.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1609f9ed5e3ea1---sivisixir.pdf
    • https://discoverapartmentsforrent.com/wp-content/plugins/super-forms/uploads/php/files/8e28e71273d7f636dd8a2dd518b3ff16/kugatezafel.pdf
    • http://absolutelyneon.com/userfiles/file/jaluvazagaguxavudevosox.pdf
    • https://study-go.info/wp-content/plugins/super-forms/uploads/php/files/d62b688eb67655002a68a5f8fd365ca4/fasejaz.pdf
    • https://technok.cz/wp-content/plugins/super-forms/uploads/php/files/7322d27084509039a34ccfad0dde76d5/vidorekudolepuwuvugu.pdf
    • https://flycam.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1609e722ce2027---doxojopawevajiveg.pdf
    • https://www.opdrrustukalac.com/wp-content/plugins/formcraft/file-upload/server/content/files/160cdb43869503---73702083802.pdf
    • https://musikkursus.dk/userfiles/file/40540982317.pdf
    • https://kfz-gutachter-oliver-schiller.de/wp-content/plugins/formcraft/file-upload/server/content/files/160a57506b1790---72151766651.pdf
    • https://www.reachcast.ca/wp-content/plugins/super-forms/uploads/php/files/7b26b5dfa6675f4aa6088a7b42fe036a/40551740113.pdf
    • http://xlsferrosilicon.com/d/files/65760046769.pdf
    • https://www.swx.global/wp-content/plugins/super-forms/uploads/php/files/9e54f981e0ec2730caeaf764997c9825/76587536343.pdf
    • http://hndgyl.com/v15/Upload/file/2021641249315872.pdf
    • http://nakatka.com/files/file/99845855659.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/FevRqgeaUVY/uplcv?utm_term=digimon+story+cyber+sleuth+trophy+guide
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000156ec.bin
6e81f76d9aa01089f648cce7f58f1a589f8eb96d0fa8d413bb0c9b09b5a9f008		 pdf-font-stream PDF embedded font (sfnt) at offset 0x156EC 17564 bytes
font_01_sfnt_off0001852b.bin
e3a1ca7fbcde87b6e2bc585668cff1a50452d2a09c95c546c16e9f90aebd6500		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1852B 1636 bytes
font_02_sfnt_off00018cfc.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18CFC 16792 bytes
font_03_sfnt_off0001a513.bin
5ac40485dc1d07dd9b6a0ee049df78aa52da026d1b67b31490ba8f637fd3e904		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A513 11156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.