Malicious PDF — malware analysis report

Static analysis result for SHA-256 8914a535108fe1ef…

MALICIOUS

PDF

81.5 KB Created: 2021-09-17 19:51:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14
MD5: bc734acacdaa83ff5c49d8034d1cb049 SHA-1: 76aa61518b677a2738a0e8b96ff10428f4a1a8d0 SHA-256: 8914a535108fe1ef022cc338013b5013b0435c9ba2796b014b3610b836090306
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains embedded JavaScript and numerous external URIs, many of which point to compromised CMS uploads or disposable hosting. The heuristics indicate a link farm designed to trick users into downloading further malicious content, likely a phishing lure. The ML classifier and ClamAV detection strongly support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://synerhu.ru/uplcv?utm_term=fl+commando+2+mod+apk PDF link annotation
    • https://numen-wow.com/userfiles/cloud/files/28947420965.pdfIn PDF document text
    • http://czerwoneiczarne.pl/files/file/55126091327.pdfIn PDF document text
    • https://mk-promotions.com/ckfinder/userfiles/files/37191770809.pdfIn PDF document text
    • http://omni-links-europe.com/images/blog/file/89145770877.pdfIn PDF document text
    • http://xn--80aab8aioy.xn--p1ai/userfiles/file/75861948708.pdfIn PDF document text
    • http://dautuck.com/uploads/userfiles/file/24302353798.pdfIn PDF document text
    • https://bursac.net/userfiles/file/90872561417.pdfIn PDF document text
    • https://ccaquebec.com/userupload/files/10471730550.pdfIn PDF document text
    • http://mavelikaradiocese.org/rapha/ckfinder/userfiles/files/betabo.pdfIn PDF document text
    • http://www.kindytennis.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613d86cbef3d0---pukija.pdfIn PDF document text
    • https://elicopter-de-inchiriat.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1613f60a27433b---61646357882.pdfIn PDF document text
    • http://thucphamchucnangmy.vn/uploads/files/zojiwitobujoruperutasa.pdfIn PDF document text
    • https://yarsan.ru/wp-content/plugins/super-forms/uploads/php/files/e16ef862349f8166a47eca8f33dd7665/26319740662.pdfIn PDF document text
    • http://fatimaartwork.com/userfiles/file/46883788645.pdfIn PDF document text
    • https://luxurytravel-show.com/wp-content/plugins/super-forms/uploads/php/files/dc63a72140de41e10fb4d5e63c0c7b20/warukefevorenekunuk.pdfIn PDF document text
    • https://geneolock.com/ckfinder/userfiles/files/zopazirapubus.pdfIn PDF document text
    • https://accounting789.com/ThImg/file/8728276580.pdfIn PDF document text
    • https://egyseg.eu/ckfinder/userfiles/files/foxunirunefov.pdfIn PDF document text
    • http://security-m.jp/tool/images/file/92853366348.pdfIn PDF document text
    • https://chachachat.info/js/ckfinder/userfiles/files/pemejejunutab.pdfIn PDF document text
    • http://inlikeflintlogistics.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613345fce93f3---jobub.pdfIn PDF document text
    • http://e-kva.ru/admin/ckfinder/userfiles/files/82642693321.pdfIn PDF document text
    • http://combatkuntao.com/ckeditor/ckfinder/userfiles/files/lutekexodesasozuw.pdfIn PDF document text
    • https://vildmarksjagt.dk/userfiles/file/23378292949.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d92e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD92E 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000f145.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF145 10272 bytes
SHA-256: 9fcb63b55edee743c1b7576955e6c445f0e9ff724e76b9168ec5e88286f74f85
font_02_sfnt_off0001085d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1085D 18640 bytes
SHA-256: 34535736230f475706b4984e3c4aaf10e3519408510734771227e80165415514