Malicious PDF — malware analysis report

Static analysis result for SHA-256 930646a0357b7785…

MALICIOUS

PDF

211.3 KB Created: 2021-06-25 20:53:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 0222591af15da3b8ee74ae5a55365e6b SHA-1: 581ee7688a7088037cdd3eeaa5467286289d6d9f SHA-256: 930646a0357b7785c93c9779b42e503fb6982882d1b4425291996cccc7662267
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It contains numerous links to compromised WordPress sites, indicating a phishing or redirection attempt. Although no scripts were explicitly extracted, the PDF structure and the nature of the URLs suggest it is designed to lure users to malicious content, likely for credential harvesting or further malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9304

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cullinanconstruction.com/wp-content/plugins/super-forms/uploads/php/files/jcls33fhebt22m94hh972m4307/xusuxatusoxaze.pdf
    • https://www.justgym.co.za/wp-content/plugins/super-forms/uploads/php/files/fufccuensisgcmbuntn9vcisb5/wajazadakafuxu.pdf
    • https://provisionsinternational.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608971aaca340---muvodoruf.pdf
    • http://www.naturapreserved.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c447f0813b2---batapu.pdf
    • https://unique.global/wp-content/plugins/super-forms/uploads/php/files/c333ee05f37270c33cbe2b37184cdcd3/vexasepos.pdf
    • https://agribusiness.pk/wp-content/plugins/formcraft/file-upload/server/content/files/160ab5cca18a0c---46540186983.pdf
    • https://maloneslandscape.com/wp-content/plugins/formcraft/file-upload/server/content/files/160785360d639a---bimaweviviluvipivimabud.pdf
    • https://mithermomix.com.mx/wp-content/plugins/super-forms/uploads/php/files/17d76ec52f02c1ab8e4d157ad79640db/jemerexobiked.pdf
    • https://dangeloremodeling.com/nbloom/fckuploads/file/zifalixekupefavop.pdf
    • http://kag.fr/userfiles/file/38856440144.pdf
    • https://agenciaboom.com/wp-content/plugins/super-forms/uploads/php/files/mjngvivfl91fcfl1stqnhmj7j3/nagenekanip.pdf
    • http://claudiodauelsberg.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160c77f13bc8b4---womezapojepaxerakati.pdf
    • http://www.srijonihealinghome.com/fckimages/file/96153116217.pdf
    • https://baconbites.com/wp-content/plugins/super-forms/uploads/php/files/3tmoc4fnqh4h6sj8q9v009btb4/52158520810.pdf
    • http://solamsys.com/userData/board/file/roniv.pdf
    • https://isosklo.cz./uploads/87185949275.pdf
    • http://phrabat.net/UserFiles/File/zemirivomokutitilamamer.pdf
    • https://proff-doors.ru/wp-content/plugins/super-forms/uploads/php/files/ea75bd7bf508435e7396d678b312cb65/85416930861.pdf
    • https://www.hungarianassociation.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a40c49f261c---dobusetulisezonogugapow.pdf
    • https://ferropula.hr/files/savajizotixafir.pdf
    • https://www.beachesbrewing.com/wp-content/plugins/super-forms/uploads/php/files/1fb4da6d3bd412b7064a1bdc2b96d533/42407387600.pdf
    • https://polinagerz.ru/wp-content/plugins/super-forms/uploads/php/files/uk0bo2bqabpdn0mrkl3lmprp23/19236381550.pdf
    • https://winston-woodward.com/wp-content/plugins/super-forms/uploads/php/files/40508a2c8a3446b073bf0ccc318989b5/73489153665.pdf
    • http://www.fullmooneye.com/wp-content/plugins/formcraft/file-upload/server/content/files/16082715389ed9---94635945718.pdf
    • https://feedproxy.google.com/~r/skout/mBVl/~3/fzgW7-mxBc0/uplcv?utm_term=description+and+classification+of+vowels+and+consonants
    • https://sharpspringwww.kinsta.cloud/wp-content/plugins/super-forms/uploads/php/files/6f72df5a1834099e43b07ceb47aaa10a/ninewadomimitolo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002b4cc.bin
c87d3a154f68f2fa52936197df01f58012fb70c9f4278c9885a470afe52d69a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2B4CC 1764 bytes
font_01_sfnt_off0002bd1f.bin
0d109d4dae487c51c47ba41bf6ff8e172e7a329fa13b2c1dc854b50d0994cfe1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2BD1F 22700 bytes
font_02_sfnt_off0002f765.bin
10b8bbe2a88f195bafe27459f233425a93c7f37cfffec656d6f39b57d50d393d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F765 10768 bytes
font_03_sfnt_off0003105e.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3105E 16792 bytes
font_04_sfnt_off0003286f.bin
337dae686eb32c98df795cea68f3eb5fc6de1cbf4e128a1048bbdb73e85c1144		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3286F 16112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.