Malicious PDF — malware analysis report

Static analysis result for SHA-256 951c44f94717705e…

MALICIOUS

PDF

88.8 KB Created: 2021-06-26 05:08:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: 98fcb96c0242e9d063fe11867c42cc62 SHA-1: 476cbb0e4beb166cdb9f52e237f230a15d9e2467 SHA-256: 951c44f94717705e3943d050b408d16087f09926b41ccedd9627c889834b7e93
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript and a significant number of external URIs, many of which are hosted on compromised CMS platforms or disposable domains, indicating a link farm designed to redirect users. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports a malicious intent, likely for phishing or malware distribution. The embedded JavaScript may be used to facilitate the redirection or exploit vulnerabilities.

Machine Learning

  • Nyx PDF Classifier clean score 0.1139

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://catamma.ru/uplcv?utm_term=svt+and+shortness+of+breath PDF link annotation
    • http://clairerolo.com/userfiles/file/59647988020.pdfIn PDF document text
    • https://yziact.fr/wp-content/plugins/super-forms/uploads/php/files/t3n0s631d0198rf56mlq24hbfm/nazirawalereliwik.pdfIn PDF document text
    • http://www.aadhar-interior.com/userfiles/file/kefivifirawudawitu.pdfIn PDF document text
    • http://maxitelt.no/wp-content/plugins/formcraft/file-upload/server/content/files/1606dc62955962---xazorumelefididorexiv.pdfIn PDF document text
    • http://wildpflanzen-planung.de/file/zesedomoxibatolagalakino.pdfIn PDF document text
    • http://gymostrov.org/gymostrov/userfiles/file/11155183841.pdfIn PDF document text
    • https://centrosteadycam.it/wp-content/plugins/super-forms/uploads/php/files/6b3a09db4d41cc3e84a8cc396d8dc358/64103439741.pdfIn PDF document text
    • https://kassa-evotor.ru/wp-content/plugins/super-forms/uploads/php/files/5j5201aeiil3iqvlkveubm1a48/21855554586.pdfIn PDF document text
    • https://xn--1--8kcai1ck2bs.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/930d3a822f04cb7659aa4a8e5d3bf835/towotilud.pdfIn PDF document text
    • http://skyrunarser.com/js/fckeditor/editor/filemanager/connectors/php/connector.php/upfiles/file/2105241749236360562lvgup.pdfIn PDF document text
    • https://k-kompany.ru/wp-content/plugins/super-forms/uploads/php/files/ade2df41ffde6c33ae4c99a8a84d6b36/takotivolinigitegezilusew.pdfIn PDF document text
    • http://aberdeeneyes.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16084f7fa58752---burumin.pdfIn PDF document text
    • https://hmv.ir/wp-content/plugins/formcraft/file-upload/server/content/files/1609d7d59e074b---45254723130.pdfIn PDF document text
    • https://glasschneider.koeln/wp-content/plugins/super-forms/uploads/php/files/mvh9aura7od0u7i6sfvdiff48e/62979386340.pdfIn PDF document text
    • http://www.tif.cn/wp-content/plugins/super-forms/uploads/php/files/rtkov82arev5akkem1ljcjtg3v/78457204987.pdfIn PDF document text
    • http://graphicon.hu/wp-content/plugins/formcraft/file-upload/server/content/files/1609e3cbfb5236---gutolomiwokizokawabogu.pdfIn PDF document text
    • https://presstone.hu/userfiles/file/92501794045.pdfIn PDF document text
    • http://www.psstrecno.sk/wp-content/plugins/formcraft/file-upload/server/content/files/16081115290e3b---78741390550.pdfIn PDF document text
    • https://www.frankcapassoandsons.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a0c564137e5---60994140326.pdfIn PDF document text
    • https://adm.allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/718ba26647cbf9c00cbc9a57c0fd9d7c/43970600162.pdfIn PDF document text
    • https://www.sharpeningfactory.com/wp-content/plugins/formcraft/file-upload/server/content/files/16070f14499508---dirarorapamixejapep.pdfIn PDF document text
    • http://gistys.com/userfiles/file/31389276754.pdfIn PDF document text
    • https://autoroman-service.ro/imagini_ws/mofuwaxasejezimimekari.pdfIn PDF document text
    • http://bridgesonthepark.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bb8055ae210---dirabalulovaluxetevox.pdfIn PDF document text
    • https://saraelv.no/wp-content/plugins/formcraft/file-upload/server/content/files/160840a2052ed5---9319303310.pdfIn PDF document text
    • https://autosofortkauf.ch/wp-content/plugins/super-forms/uploads/php/files/0d4qs0at5669rngeir6b13s1aq/porerosiki.pdfIn PDF document text
    • https://arket.io/wp-content/plugins/super-forms/uploads/php/files/mli59ef2fdfmbtpt8had3h17ev/44636901013.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001010f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1010F 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off00011926.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11926 10592 bytes
SHA-256: dcaaa06d0259a729e1cd976c550b106a8d6e67bd59dd5e3efa1c4e69bc00e718
font_02_sfnt_off00013142.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13142 17492 bytes
SHA-256: 8739f362c7272552605a5b52e1fad1c0295236910cc1801e1b5a0623952f3202