Malicious PDF — malware analysis report

Static analysis result for SHA-256 8840e62365318b94…

MALICIOUS

PDF

84.4 KB Created: 2021-06-29 15:22:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26
MD5: 1df4ebe0a5217a5243b354480f4e8406 SHA-1: 6135a23a590cf864b397c418293fa1e2fbd2c800 SHA-256: 8840e62365318b94d29af6ccd6f05dd49ead6195d8c0edc1f713541e508040d5
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links pointing to compromised WordPress sites, indicating a link farm designed to redirect users to malicious content. ClamAV and ML classifiers confirm its malicious nature, specifically flagging it as a phishing trojan. The primary attack pattern involves exploiting user trust through a seemingly innocuous document to lead them to further malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9951

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.lumisolar.pe/wp-content/plugins/formcraft/file-upload/server/content/files/16070d77189d73---78198367335.pdf In PDF document text
    • https://www.rockandroll.blog.br/wp-content/plugins/super-forms/uploads/php/files/mmhe29dq4he2l3c5q0rjga9ths/33057735436.pdfIn PDF document text
    • https://journeypeople.cc/wp-content/plugins/super-forms/uploads/php/files/9a3073e340ab3d47e0b13f591e98543a/87462272057.pdfIn PDF document text
    • https://viboot.com/ckfinder/userfiles/files/xemad.pdfIn PDF document text
    • http://unipell.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607e844a65929---31963244540.pdfIn PDF document text
    • https://www.sblending.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16075b229e7b2b---niparotafunobowalojoriwu.pdfIn PDF document text
    • http://elonsummerstorage.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c9a10016a0---72735711401.pdfIn PDF document text
    • https://www.foundationofhope.org/wp-content/plugins/formcraft/file-upload/server/content/files/1608294173f7fb---89084622465.pdfIn PDF document text
    • http://gingerbreadvillage.org/clients/e/e3/e396b250b60561adcb946853f9f62e29/File/37654721868.pdfIn PDF document text
    • http://banghetretruc.com/media/ftp/file/pajuxuvax.pdfIn PDF document text
    • https://5uempat.com/contents//files/mitusudupomegitik.pdfIn PDF document text
    • https://londonvipchauffeur.co.uk/wp-content/plugins/super-forms/uploads/php/files/6ca49c1655661d3a40639ba0187a0676/33152070888.pdfIn PDF document text
    • http://thehawthornnyc.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c7508ea2b9---garikezibiw.pdfIn PDF document text
    • https://hondamienbac.vn/userfiles/file/2166316051.pdfIn PDF document text
    • http://cohn-vossen.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072a0f78441e---woluvejepine.pdfIn PDF document text
    • https://humanistbeauty.com/wp-content/plugins/super-forms/uploads/php/files/dfsg3s4kdlo0vidml6smaivqh3/77479972687.pdfIn PDF document text
    • https://terravistahometeam.com/wp-content/plugins/super-forms/uploads/php/files/dfb9affb1882749456c5ac7a1a7861e0/14578018071.pdfIn PDF document text
    • http://gianphoiduyloimodel.com/Images_upload/files/rurisijasanibulevige.pdfIn PDF document text
    • https://relaxationplusmn.com/wp-content/plugins/super-forms/uploads/php/files/41dcbabdeea175dcbce8735ea1bef72b/putaw.pdfIn PDF document text
    • https://www.taxiserviceh24.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607d0e8d2148b---10348327300.pdfIn PDF document text
    • https://ahi.com.ua/wp-content/plugins/super-forms/uploads/php/files/221136c67e6e7d6b1c4d2b652105d0c8/71184814919.pdfIn PDF document text
    • http://israel-aliya.com/wp-content/plugins/super-forms/uploads/php/files/2eb4bb0980f6bbd459905381389599ad/80424057585.pdfIn PDF document text
    • https://karapinarinsaat.net/userfiles/upload/file/budisemigerazetiweladi.pdfIn PDF document text
    • https://apoc.com.au/wp-content/plugins/super-forms/uploads/php/files/1d7377611fa7ab926fd1d02954ab22ef/zuzovodubomibapom.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/PmAiG5ZyT-k/uplcv?utm_term=white+nail+polish+meaningPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e9c0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE9C0 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off000101d7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x101D7 10592 bytes
SHA-256: fd0f12ac06a0f57e564d31b41f535d7e473112b53d778efe140f1de7e64bbc88
font_02_sfnt_off000119d6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x119D6 16428 bytes
SHA-256: 17f32c6eb113f72d4ff10185f0f766147b4f0096ce028896ad5625dfa3573d6c