Malicious PDF — malware analysis report

Static analysis result for SHA-256 8fbf1042fceba982…

MALICIOUS

PDF

64.4 KB Created: 2021-04-30 12:10:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b0c7f803edc8745d264bf728e9d42408 SHA-1: 6d581e16688b77c579ea8795e485906931047543 SHA-256: 8fbf1042fceba9820e61b5d873f8870598ecc8b66be8782c9f882c37920b37ba
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains multiple links pointing to compromised WordPress sites, suggesting a phishing or malware distribution attempt. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates a link farm on disposable hosting, and ClamAV detected it as 'Pdf.Phishing.Trojan'. While no scripts were explicitly extracted, the presence of numerous URLs and the nature of the heuristics strongly suggest a malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://global-gypsum.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608390d485fa6---28244263322.pdf
    • https://ficsllc.com/wp-content/plugins/super-forms/uploads/php/files/mkrokht6qav6nc0kvqqq54qr2k/14255349742.pdf
    • https://shrmivirtual.org/wp-content/plugins/super-forms/uploads/php/files/be880fe722e295a764b101ace60919fe/pewuliju.pdf
    • http://www.maarsehoveniers.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1606d36149bcef---22888252926.pdf
    • https://www.corridar.com/wp-content/plugins/super-forms/uploads/php/files/skvotjlm5mpv1j2npak7gqtp5l/fipefijidagilodogi.pdf
    • https://controlcert.se/wp-content/plugins/formcraft/file-upload/server/content/files/1607036a6ad701---7521984248.pdf
    • https://www.marvistasales.com/wp-content/plugins/super-forms/uploads/php/files/e2fdd524e33e4a2949ee0cffab6f685d/25317875227.pdf
    • https://plswa.com/wp-content/plugins/super-forms/uploads/php/files/a9dfa3f1fd5569001bf0306239474606/norakuxo.pdf
    • https://mamproducciones.es/wp-content/plugins/formcraft/file-upload/server/content/files/16083fa8f0762f---50075848158.pdf
    • http://paymentsbusiness.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1608772112f9d8---bibakunerojizirado.pdf
    • https://pluckywize.com/wp-content/plugins/formcraft/file-upload/server/content/files/160867386b05cc---jusowuva.pdf
    • https://www.oneirishrover.com/wp-content/plugins/super-forms/uploads/php/files/4a6c4b29bfebf624e9129a26e9755c99/tupibelovofevaromu.pdf
    • http://kapelski.pl/userfiles/file/dovomuzis.pdf
    • https://www.hotwaterfactory.com.au/wp-content/plugins/super-forms/uploads/php/files/98ab1102bdcbc8347d5fa54ac56abe0b/bisofubo.pdf
    • https://olgapopovaphoto.com/wp-content/plugins/super-forms/uploads/php/files/a1240fbfd5b1fe291ed502042e27ca42/89644887016.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/skout/mBVl/~3/YTWXjIUwRh0/uplcv?utm_term=agbara+ife+yoruba+movie
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c18c.bin
ce79640418162f9b058d2255324fa70550bc1aef1d2d8b1641c01b70ac71bf41		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC18C 5168 bytes
font_01_sfnt_off0000d329.bin
c081c8027f2f0fb1609a0692631f1080a62d03f19470d5cb4e271d8d0ec51b80		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD329 9992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.