Malicious PDF — malware analysis report

Static analysis result for SHA-256 934204fdbd51d372…

MALICIOUS

PDF

70.1 KB Created: 2021-09-26 05:04:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 557bf5c6a800ebb60c98d5c0e02e93f7 SHA-1: 8e01d55e92fc979025a6d3815367d58f70236f4c SHA-256: 934204fdbd51d372b1ef88009b3750d3e552b62e7887d6836735bc2c5ed04881
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded URLs, many pointing to compromised CMS uploads and disposable hosting, suggesting a link farm designed to distribute malicious content. The presence of embedded JavaScript and a high ML classifier score further indicate malicious intent, likely for phishing or malware delivery. ClamAV also detected this as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9975

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://philabc.ru/uplcv?utm_term=room+database+kotlin+tutorial
    • https://moraure.net/js/ckfinder/userfiles/files/tifosig.pdf
    • http://aspbae.org/userfiles/file/jinivagolowakod.pdf
    • https://www.kuwaitpolyurethane.com/ckfinder/userfiles/files/31968464197.pdf
    • http://vibrobeton.by/pics/files/palunajifavobelalam.pdf
    • http://elenasteele.com/wp-content/plugins/formcraft/file-upload/server/content/files/1614f8be9f2671---xomobidil.pdf
    • http://taxfreepoint.com/file/xefiseligibunurufi.pdf
    • http://placidlakes.com/larpm/uploads/file/xojezelomu.pdf
    • http://christmaslandint.com/userfiles/wifuloruzew.pdf
    • http://topopentertainment.com/wp-content/plugins/formcraft/file-upload/server/content/files/161343cd41b675---pivizes.pdf
    • http://sanraimundo.cl/dyn/uploads/file/penulamava.pdf
    • http://aias.pnu.ac.th/ckfinder/userfiles/files/89412107213.pdf
    • https://netpage.info/userfiles/file/84540569322.pdf
    • https://mami-m.com/Uploads/userfiles/files/31155499262.pdf
    • http://birizgardenhotel.com/userfiles/file/12854228076.pdf
    • https://jdbailbonds.com/wp-content/plugins/super-forms/uploads/php/files/af2f253e3f01105a42bba2dd85183dd7/nujipena.pdf
    • https://www.simplythebestevents.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16133c58522661---kunodevaxanorelejeduteb.pdf
    • http://sdtrafficticketlawyer.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/16311145080.pdf
    • http://francescasciortino.it/userfiles/files/lezukokovukimelumotovemu.pdf
    • https://jamuiboe.com/webroot/upload_media/wogexotaku.pdf
    • http://emailreceptionist.net/userfiles/file/99531732548.pdf
    • https://sharks-cz.cz/images/file/fidosotamod.pdf
    • https://aeternoplanning.com/ckfinder/userfiles/files/69078357151.pdf
    • http://tfh-filter.hu/_user/file/pefufozuxutoferevib.pdf
    • http://studiocalderini.it/userfiles/files/vosovafatupokezawoxi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b2f8.bin
6257046d840ee58b5ee85063cf74eea5678944f189f09947bb8a1c436199292a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB2F8 10784 bytes
font_01_sfnt_off0000cbc5.bin
15ed81021e83c5611000beb7cd1ac24729e8a0c6a5c5bc5abee50245cdc316a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCBC5 15224 bytes
font_02_sfnt_off0000f27b.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF27B 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.