Malicious PDF — malware analysis report

Static analysis result for SHA-256 93af272673d6758b…

MALICIOUS

PDF

122.8 KB Created: 2021-06-19 05:55:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: 0a0a9af34eef75b78318872305beaddc SHA-1: 45bfd74b774d89c66f19c8887b755f630e599828 SHA-256: 93af272673d6758bfbf099bfeff5a7df420ad4049cb0b77d060813930ec47e81
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by ML classifiers and ClamAV as malicious, indicating a high likelihood of malicious intent. Heuristics identified it as a link farm pointing to compromised CMS uploads and disposable hosting, suggesting an attempt to redirect users to malicious content. The document body contains seemingly random text and metadata, but the embedded URLs are the primary indicators of the attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9915

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://beloezoloto.ru/userfiles/file/givokijovezoribev.pdf In PDF document text
    • http://uleshuzatshop.hu/files/file/44821924920.pdfIn PDF document text
    • https://coloreverything.love/wp-content/plugins/super-forms/uploads/php/files/b02f18404eed32cc5dc045d12872177c/foxabiredodopidusuvu.pdfIn PDF document text
    • https://lecachet.fr/docs/files/xolijokerolevivef.pdfIn PDF document text
    • http://krindustria.com.br/site/wp-content/plugins/formcraft/file-upload/server/content/files/16082ee7b91c52---48487741212.pdfIn PDF document text
    • http://www.iycadana.org/wp-content/plugins/super-forms/uploads/php/files/oh64mc774rt3pj8vp3662r71r4/bitegipuxodujatewijinav.pdfIn PDF document text
    • http://www.marsagri.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607157639fa88---xawuzugobik.pdfIn PDF document text
    • http://naturabliskociebie.pl/userfiles/file/23984878676.pdfIn PDF document text
    • http://www.movingintofreedom.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b5639ee1e3b---61746753826.pdfIn PDF document text
    • https://notofthisgalaxy.com/wp-content/plugins/super-forms/uploads/php/files/3akdh4v6mlpl55lrml760fr8f5/38164726855.pdfIn PDF document text
    • https://sportli.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/160a5e54c31924---30663898875.pdfIn PDF document text
    • https://kicksomeglass.com/wp-content/plugins/super-forms/uploads/php/files/4f2a1de1c50298344329cc2fc1c001b0/mujufewas.pdfIn PDF document text
    • https://drivingschoolofnorthtexas.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c50e82561ce---67183331637.pdfIn PDF document text
    • https://veritiesinstitute.com/wp-content/plugins/super-forms/uploads/php/files/311b1adca03cf33c4190895fe498f6e9/32804629977.pdfIn PDF document text
    • http://mauchlineware.com/html/chapelstreet/web/userfiles/files/miwuzikebubudamur.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/Om9ozkHLxGw/uplcv?utm_term=alan+walker+faded+vikstrom+remixPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_008_off00019a72.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x19A72 24540 bytes
SHA-256: 5c6981979114c2406f7fe85064d6c29c7be0e60bdba4a490a15172a4e32b3002
font_00_sfnt_off0000d899.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD899 7328 bytes
SHA-256: 99cf45b5cc4e5e0e8502fe7ebaee3ff6d676c29e397be9f7be85b51a5be34b95
font_01_sfnt_off0000ebbb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEBBB 5112 bytes
SHA-256: 56414f9c4e9c0f323ee7c8ad03550c27bb1ba89026036a4d8df46bad025886f1
font_02_sfnt_off0000fd1c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFD1C 6172 bytes
SHA-256: de52f7595a709230f0a85e4ecc9eda8fbf17258a197489857f59795183dbd089
font_03_sfnt_off00011125.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11125 20252 bytes
SHA-256: 49ab3149462b1f08db1495bb641afe2ad3220cbaf051eae969270ed6663f4436
font_04_sfnt_off00014878.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14878 9248 bytes
SHA-256: 3c57a3e4612bf5bef0f81759af8ece0afffa42f0999a97d908a8371c9727bf0d
font_05_sfnt_off00016294.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16294 22108 bytes
SHA-256: 0114def352747509f89a5e266d3e9157c4f58ba5a2703511b205443f05a2c52e
font_07_sfnt_off0001c61d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1C61D 4324 bytes
SHA-256: 0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333
font_08_sfnt_off0001d3d0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1D3D0 1740 bytes
SHA-256: 0fa38b11e28a8990e1b947714e894fba9dc87d533679748745bc540cfc52814c