Malicious PDF — malware analysis report

Static analysis result for SHA-256 84bc1a11a7831708…

MALICIOUS

PDF

94.8 KB Created: 2021-06-13 05:09:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-16
MD5: 9e433f351ddea88fccac5a2e47bf0555 SHA-1: 8f897febf4dd363228bff961f3f20771152c75e9 SHA-256: 84bc1a11a78317082955acee2645d496e68a36cc820717e6c40c196e04d4b042
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains multiple links to compromised websites and disposable hosting, suggesting a link farm designed to redirect users. The presence of 'budgeting templates excel' in a URL parameter indicates a lure to entice clicks. ClamAV and ML classifiers confirm its malicious nature, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://krisoc.ru/uplcv?utm_term=budgeting+templates+excel PDF link annotation
    • http://www.belladermeestetica.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160743ad79a98b---2919663361.pdfIn PDF document text
    • https://grahampropertytax.com/wp-content/plugins/super-forms/uploads/php/files/daa255a185e54b0f1e6bd0ea3960354d/47418187928.pdfIn PDF document text
    • http://accessiblevehicleservices.com/userfiles/file/dawoxewizawevizifuxedit.pdfIn PDF document text
    • https://rjiminfra.com/wp-content/plugins/super-forms/uploads/php/files/4af8ca018e98f31bf2182f51713b4fd2/viwalupisitofefovivowu.pdfIn PDF document text
    • https://www.treehousecare.org/wp-content/plugins/formcraft/file-upload/server/content/files/1606d38c182e29---votigaputonisifowolila.pdfIn PDF document text
    • http://bannermaul.com/userData/board/file/gikowinopavemosij.pdfIn PDF document text
    • https://hps-gruppe.com/wp-content/plugins/super-forms/uploads/php/files/spe5dn1isl3346juqfb9d1gtsa/53203367114.pdfIn PDF document text
    • https://askopenko.com/wp-content/plugins/super-forms/uploads/php/files/ed2220b32e4f11ccd2df51534af41a1f/zexowajoxekivijeful.pdfIn PDF document text
    • http://billsky.ee/files/file/vijofakesefib.pdfIn PDF document text
    • http://aleeblog.com/wp-content/plugins/super-forms/uploads/php/files/k8qrukurtd2sm8bt9kndlvi5t4/mobawajumiwadufupurutopop.pdfIn PDF document text
    • https://www.beewellrx.com/wp-content/plugins/super-forms/uploads/php/files/tmp/73589017087.pdfIn PDF document text
    • http://anhuifan.com/upload_fck/file/2021-6-8/20210608224149888175.pdfIn PDF document text
    • https://calldidocta.com/wp-content/plugins/super-forms/uploads/php/files/626f4d065be0497fb9e1706940e76ed4/61821300405.pdfIn PDF document text
    • https://amirep.com/wp-content/plugins/super-forms/uploads/php/files/252b48889870764f202c124dcf9be4b0/xipulopirixagaw.pdfIn PDF document text
    • http://claudiodauelsberg.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607cdca255926---lifotinebujut.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000132dd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x132DD 5412 bytes
SHA-256: 162cd6211e142e8ade18148788ee2b7d3c6a66f5082615aaa22ae246641a25f4
font_01_sfnt_off0001453f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1453F 11548 bytes
SHA-256: 8083827636904cd0560a32730f629477acdd4af9260130e4c9b177410865110c