Malicious PDF — malware analysis report

Static analysis result for SHA-256 947f75ac294425f6…

MALICIOUS

PDF

92.1 KB Created: 2021-07-08 03:26:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 96cafa7918517fb8f0c7acef49815ab3 SHA-1: bcccd2de38dec72d0243e5e61dd5a18680dc3ffa SHA-256: 947f75ac294425f693ac72ff9f31d11f03c737af8a179a249844432015e9c468
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link farm pointing to multiple compromised WordPress sites, likely intended to host and distribute a malicious payload. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic suggests the document may instruct the user to download an archive, which is then protected by a password provided within the document itself, a common tactic to bypass gateway security. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9927

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://garglob.ru/uplcv?utm_term=the+amazing+spider+man+ppsspp
    • https://www.fecomerciomg.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/160b5cb0442741---zilakoguliwev.pdf
    • https://tamtam.com.ua/wp-content/plugins/super-forms/uploads/php/files/b2413f495a6c74f1a99151191e3e2117/ratewejebipazadisixotefu.pdf
    • http://gf-location.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1608203859eb57---43670282087.pdf
    • https://izharfoster.com/wp-content/plugins/formcraft/file-upload/server/content/files/160abce0f50ab8---vilalu.pdf
    • http://ipsgroupjjn.org/userfiles/file/vixodu.pdf
    • https://selectwifi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a8e5be8b800---roren.pdf
    • https://www.xcelsus.de/wp-content/plugins/formcraft/file-upload/server/content/files/160bafc1383779---34916906235.pdf
    • https://ipic.vn/userfiles/file/16968994802.pdf
    • http://totalfinance.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160ab0aae7aa4a---sukoxogiwiru.pdf
    • http://autosklo.sk/pictures/file/35403393013.pdf
    • https://www.ezhealthcheck.com/wp-content/plugins/super-forms/uploads/php/files/u9gl4k37sv95n0n5iff8r6tqb5/67254899815.pdf
    • http://pferdefreunde-brueckenhof.de/sites/default/files/userfiles/file/62909323215.pdf
    • http://rayzerfamilyreunion.com/clients/0/08/08e2d5bcffca37c2e1a82d364f4296c6/File/95762945078.pdf
    • http://frederickfollows.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160707981939ba---99436011964.pdf
    • http://comp-art.ru/userfiles/file/kegubenijib.pdf
    • https://yourlightingbrand.com/wp-content/plugins/super-forms/uploads/php/files/c0fddde9be9044a62ef3f0ec2b1cd9bf/wimematuzol.pdf
    • https://www.plsok.com/wp-content/plugins/super-forms/uploads/php/files/622fa1662257369a46457dd2af913abc/pimumugiw.pdf
    • https://manuscripthandler.com/userfiles/file/misizubujura.pdf
    • https://pikewallis.no/wp-content/plugins/formcraft/file-upload/server/content/files/1608d75f651e9f---lawemamureleg.pdf
    • https://salvamontbihor.ro/app/webroot/files/userfiles/files/monetumetimulezodot.pdf
    • https://trungtamgiasuhcmmq.com/uplaod/quangtri/files/66199022173.pdf
    • http://coytex.net//ckfinder/userfiles/files/xumodixe.pdf
    • http://victorylimo1.com/wp-content/plugins/formcraft/file-upload/server/content/files/16083726e6b438---68968348792.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000efea.bin
80f614696446e5f6be8a23c6d6faf3fc9973e3c781503aff319c66dbef4999c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFEA 16852 bytes
font_01_sfnt_off00011c0a.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11C0A 16792 bytes
font_02_sfnt_off00013421.bin
4a4b15dc1cb441db335c959e5add4b6f7d95ddc222b1af6f1733eb669f8ff580		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13421 10596 bytes
font_03_sfnt_off00014bde.bin
fd494554c7a7a2c4488382a78096c535ff133766c7221992be4f6a58596b2467		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14BDE 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.