Malicious PDF — malware analysis report

Static analysis result for SHA-256 8bc3c5d740afa783…

MALICIOUS

PDF

166.2 KB Created: 2021-06-18 11:55:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-26
MD5: b665beb80d216b696cf4dd4ca197bb32 SHA-1: 69306fa6080208af476ac06c5ba7075b656e7180 SHA-256: 8bc3c5d740afa783cbc3e47a997b705aeb09660efaad639e0257ccaf880173c1
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The document body, though partially corrupted, suggests a lure related to educational notes, which is further supported by heuristics identifying it as a link farm and a potential invoice/payment lure. The embedded URLs point to various domains, some of which appear to be compromised WordPress sites, suggesting a distribution network for malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://garglob.ru/uplcv?utm_term=plus+two+business+studies+notes+by+ajith+kanthi PDF link annotation
    • http://gloria-eurex.com/musameradadixebiwem.pdfIn PDF document text
    • http://www.kissdocs.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16093d9d0281e6---5428837958.pdfIn PDF document text
    • http://zionhillfirstbaptistchurch.com/clients/73368/File/bikofebizukevalixegi.pdfIn PDF document text
    • https://rittenhousesmiles.com/wp-content/plugins/super-forms/uploads/php/files/bdbcbc7a5363190ab5eab795f264063e/josiredexer.pdfIn PDF document text
    • https://sg-design.top/wp-content/plugins/super-forms/uploads/php/files/74cde80da5b0801443aa9c32bbf9bd21/wopinop.pdfIn PDF document text
    • http://m2m2design.com/userfiles/nivogaduloz.pdfIn PDF document text
    • http://unseenadventure.com/userfiles/file/81300297536.pdfIn PDF document text
    • https://avgdesign.com/userfiles/file/71403256438.pdfIn PDF document text
    • http://blatt-gruen.ch/files/18645152760.pdfIn PDF document text
    • https://glosunspa.com/wp-content/plugins/formcraft/file-upload/server/content/files/160791866583ae---51293386548.pdfIn PDF document text
    • https://holzhaus-suedtirol.it/wp-content/plugins/formcraft/file-upload/server/content/files/160713bae54097---xopit.pdfIn PDF document text
    • http://www.viksexteriors.com/wp-content/plugins/formcraft/file-upload/server/content/files/16099b281b418d---11839130631.pdfIn PDF document text
    • https://motionslam.com/wp-content/plugins/super-forms/uploads/php/files/90597fbbda21f5348b50a1455dcb8e51/24977346462.pdfIn PDF document text
    • http://extracam.es/app/webroot/arxius/file/wetowunexovevepuwe.pdfIn PDF document text
    • https://kultmotor.hu/images/files/34467433391.pdfIn PDF document text
    • https://www.hauptsache.cc/wp-content/plugins/formcraft/file-upload/server/content/files/1609c1810e58d0---xuwatesiwepazapinafus.pdfIn PDF document text
    • https://ols.lighting/wp-content/plugins/super-forms/uploads/php/files/43a967fee5ed5cb5fa24bce7bb1966ef/terijibewuxo.pdfIn PDF document text
    • https://geneolock.com/locktactyuma/userfiles/file/70919560037.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://smc.org.in)MeeraRegularMeera2016SMC7.0.0+20171102HussainIn PDF document text
    • http://smc.org.inhttp://smc.org.inIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • https://gitlab.com/smc/meera/blob/master/COPYINGIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002325f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2325F 5172 bytes
SHA-256: 674cd3f79bd59799b4de27124636e07a645d177b59fb6ccdc130d0aa4a6872cf
font_01_sfnt_off000243f1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x243F1 4928 bytes
SHA-256: 50c8b5c7c9cf3474c977913a94fa6248c086bbbab136884c309d5b0b1c2b24c3
font_02_sfnt_off00025658.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x25658 11204 bytes
SHA-256: 3c0eaad7280064570068ef524555e7905d5116f68da1d74bb10542d14f99a4ac
font_03_sfnt_off00027c69.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x27C69 4324 bytes
SHA-256: 9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2