Malicious PDF — malware analysis report

Static analysis result for SHA-256 865927a5986d4822…

MALICIOUS

PDF

72.3 KB Created: 2021-05-30 19:00:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-31
MD5: be5143f2f8141c8398cfae4ccdf475f2 SHA-1: c25a47a8a453c3047cb82f6768ba960b526091d2 SHA-256: 865927a5986d4822773e8175d3ce5bd9cb17259c77f570de1f3afcbc91276c30
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file is identified as malicious by multiple heuristics and a machine learning classifier, with ClamAV detecting it as a phishing trojan. The document appears to be a link farm, directing users to various compromised websites and disposable hosting domains, likely to distribute further malicious content. The presence of numerous PDF_URI and PDF_SEO_DISPOSABLE_LINK_FARM firings indicates a strong intent to redirect users to external, potentially malicious, resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://portalcom-b2b.es/img/user///file/_0103316001619919959.pdf In PDF document text
    • https://www.hit-education.com/wp-content/plugins/super-forms/uploads/php/files/k4su87uto2fracb4tm860k0oj7/wefokifitavewewepenimo.pdfIn PDF document text
    • https://fjordancv.info/wp-content/plugins/super-forms/uploads/php/files/e29ba453255d76b9205f53d53ac45f7a/sotizizubozuwike.pdfIn PDF document text
    • https://service-panev.com/userfiles/72046197406.pdfIn PDF document text
    • http://grupogmec.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a451d7f306e---39649426884.pdfIn PDF document text
    • http://schodylux.pl/userfiles/file/22962216608.pdfIn PDF document text
    • http://erfolgsapp.de/wp-content/plugins/formcraft/file-upload/server/content/files/160b03900b071c---napor.pdfIn PDF document text
    • https://www.ideaklinikbakirkoy.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606ee9338cb85---6172069511.pdfIn PDF document text
    • https://www.hemoroidklinigi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608307d8191eb---93017569411.pdfIn PDF document text
    • https://dispomydeal.com/wp-content/plugins/super-forms/uploads/php/files/ac7f0ff6c01179dcf21a2e65bde98207/kifefurulobevosu.pdfIn PDF document text
    • https://duext.com/wp-content/plugins/super-forms/uploads/php/files/18d5b4e9c2870e7c67f82802a7aff4aa/44273176560.pdfIn PDF document text
    • https://xn--80aaaglcftt5alesfkk7f.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/9cf55d1eb7c3dead2646c55a3900292d/44061314955.pdfIn PDF document text
    • http://www.phonefixcomo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160897375f1ea1---60885441404.pdfIn PDF document text
    • https://sharidendesignasphalt.com/wp-content/plugins/super-forms/uploads/php/files/97b005f9873026a768af24cedcc69a56/96637355732.pdfIn PDF document text
    • http://lbs.ac.at/wp-content/plugins/super-forms/uploads/php/files/hh8bbpc8695i8sqc7ko7rh5eh1/wumiduzilaxomefedowaxuni.pdfIn PDF document text
    • http://architects-desk.com/uploadsfile/todos.pdfIn PDF document text
    • https://californiaoptionsrealestate.com/wp-content/plugins/super-forms/uploads/php/files/c881445b11cd0af6d7763e61ae2d8f80/74320067354.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/FevRqgeaUVY/uplcv?utm_term=charlie+chaplin+modern+times+worksheet+answer+keyPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000da3d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDA3D 5476 bytes
SHA-256: 4a5539ae2184164a635ed9acd369c0d4d07f2303b1ff53dc2d553e3230c311be
font_01_sfnt_off0000ecbf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xECBF 10864 bytes
SHA-256: 93e26ae3f3dbe728c11a85512adbbaa6d555742f549a8b6d06786146c0a2b7b5