Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a6ebe95aa1ff0ca…

MALICIOUS

PDF

76.2 KB Created: 2021-09-14 08:46:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: 21d2a8a5b017012bcc68b327b7c1db02 SHA-1: 21f2b87efd9790802131e8ea5a56eaf1826c6c8c SHA-256: 8a6ebe95aa1ff0caa592ffda25a0113cc0a1d352a5345d1df8819a273875ed90
132 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains an embedded JavaScript stream and a large number of external URIs, many of which point to compromised CMS uploads or disposable hosting. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports a malicious classification. The embedded JavaScript likely facilitates the download and execution of a secondary payload from one of the provided URLs.

Machine Learning

  • Nyx PDF Classifier clean score 0.2303

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://philabc.ru/uplcv?utm_term=dumpster+apk+premium PDF link annotation
    • http://thietbiytedaibao.com/media/files/loxopitufegizurexirezuv.pdfIn PDF document text
    • http://klaaswester.nl/img/file/52169620369.pdfIn PDF document text
    • http://manilag.com/FileData/ckfinder/files/20210906_36B968F06D46CCD1.pdfIn PDF document text
    • https://lostsoulsmemorialnj.org/wp-content/plugins/super-forms/uploads/php/files/7bc4d9f458d47e95a8c847ad3b513ffb/67607261472.pdfIn PDF document text
    • https://oferta.lt/i/File/febugamedenugepukiwiwa.pdfIn PDF document text
    • https://vietnamairlinescorp.org/js/ckfinder/userfiles/files/kadiwesuvigojipomunuvoden.pdfIn PDF document text
    • http://open.ua/uploads/ckeditor/files/32063225013.pdfIn PDF document text
    • http://laxycoffee.com/upload/files/veliviborupi.pdfIn PDF document text
    • https://mkycc4.com/kycc4.com/userfiles/files/902697073.pdfIn PDF document text
    • https://cananalimdar.com/wp-content/plugins/super-forms/uploads/php/files/qcjdmbhjhfb4jvstdh9uto6oj6/56424577320.pdfIn PDF document text
    • https://directprocessors.com/wp-content/plugins/formcraft/file-upload/server/content/files/16134d05120326---1995468422.pdfIn PDF document text
    • http://carshopm.com/js/upload/files/49987576884.pdfIn PDF document text
    • http://onlineticketreview.com/images/file/91316157665.pdfIn PDF document text
    • https://razredna-nastava.net/files/wuramuwanot.pdfIn PDF document text
    • http://n3ss.ro/ckfinder/userfiles/files/5476079233.pdfIn PDF document text
    • http://pkynfe.net/userfiles/file/39636442426.pdfIn PDF document text
    • http://danangsculpture.com/uploads/image/files/23406769684.pdfIn PDF document text
    • https://elminhaj.org/userfiles/file/91471583692.pdfIn PDF document text
    • http://luchetti.it/userfiles/files/68297947718.pdfIn PDF document text
    • https://aspit.ro/imagini_ws/pipegugajut.pdfIn PDF document text
    • http://gr-chem.com/upload/files/fatelivonazil.pdfIn PDF document text
    • https://indoshaolinkungfusociety.com/ckfinder/userfiles/files/54716370974.pdfIn PDF document text
    • http://heninrealty.com/userfiles/files/nunibima.pdfIn PDF document text
    • https://cmf8.ir/data/file/roremavojomi.pdfIn PDF document text
    • http://automyjka.pl/automyjka.pl/userfiles/file/55659822610.pdfIn PDF document text
    • https://lederstuhlshop.de/ckfinder/userfiles/files/5636295550.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dd86.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDD86 10336 bytes
SHA-256: e895a7efd8d1db9e3b073d59d36852451276f39888b508216c8d2ffb4fc912a2
font_01_sfnt_off0000f4ef.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF4EF 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1