Malicious PDF — malware analysis report

Static analysis result for SHA-256 956a10a5cbb2c489…

MALICIOUS

PDF

72.0 KB Created: 2021-04-28 14:19:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-30
MD5: a05e5c0a6fb5bbf5af02fc8f983e131e SHA-1: f61966cb386ddc85e2da1771b6fc36aa11ff45df SHA-256: 956a10a5cbb2c4896a04e55dcfa291f6c5111c62e207c16bdf317cf2f1043d95
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics as malicious, including a critical ClamAV detection and an ML classifier. It contains numerous links pointing to compromised WordPress sites, suggesting it's part of a link farm designed to redirect users to malicious content. The document body, though heavily obfuscated, contains references to 'wkhtmltopdf' and a date, indicating it was likely generated programmatically to appear as a manual, serving as a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.kidnuri.com/wp-content/plugins/formcraft/file-upload/server/content/files/16071464977485---rigaverowawobetaguz.pdf In PDF document text
    • https://earthchartercities.org/wp-content/plugins/formcraft/file-upload/server/content/files/16085f39267952---pubebilo.pdfIn PDF document text
    • https://www.elektrobetrieb-scholz.de/wp-content/plugins/formcraft/file-upload/server/content/files/160819f2d4c70f---60811267218.pdfIn PDF document text
    • https://livingcircles.ch/wp-content/plugins/formcraft/file-upload/server/content/files/1608736ff834d0---43212512629.pdfIn PDF document text
    • https://garyjetcenter.com/wp-content/plugins/super-forms/uploads/php/files/ba36f522645c2fd4c29f29ad875864b9/89194701402.pdfIn PDF document text
    • https://asiaviews.org/wp-content/plugins/super-forms/uploads/php/files/1uj6ua0p9kqn3ddbgsnqh8pik4/gosoxe.pdfIn PDF document text
    • https://comodee.com/wp-content/plugins/formcraft/file-upload/server/content/files/16088ae858aee6---31220816675.pdfIn PDF document text
    • http://amwordpress.org/wp-content/plugins/formcraft/file-upload/server/content/files/16086553a9905c---13507394060.pdfIn PDF document text
    • https://www.mobytec.com.br/mobytec/wp-content/plugins/formcraft/file-upload/server/content/files/160869093385a1---povofamemoxavuneneve.pdfIn PDF document text
    • https://bluebeakbranding.com/wp-content/plugins/super-forms/uploads/php/files/eabad328a7f097698f40b0f699c12e61/92149539014.pdfIn PDF document text
    • https://shining4u.com/wp-content/plugins/super-forms/uploads/php/files/2e6da1fe906713d29f6d5eefb2fb8930/17072369527.pdfIn PDF document text
    • http://www.sunaryem.com.tr/wp-content/plugins/super-forms/uploads/php/files/k260gu72v5aj30tmvvca536be6/repalumiranidopu.pdfIn PDF document text
    • https://flexrocksrollovers.com/wp-content/plugins/super-forms/uploads/php/files/ldf1o8snituj71gtqh2ek9get4/36183947914.pdfIn PDF document text
    • http://sieckultury.pl/wp-content/plugins/super-forms/uploads/php/files/9e103799a50af040260736c3e05363b4/98065478289.pdfIn PDF document text
    • http://www.thebetterinsurance.com/wp-content/plugins/formcraft/file-upload/server/content/files/16081fc8935794---43470584428.pdfIn PDF document text
    • https://www.accidentinjurylascruces.com/wp-content/plugins/super-forms/uploads/php/files/dkq7397187tdh7jef7g6me66ru/57220509352.pdfIn PDF document text
    • http://phillipwhiting.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608713d7666b2---mipofasuwupenobabaxogi.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/cv9VXjIrmdE/uplcv?utm_term=liberate+air+manualPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d619.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD619 4732 bytes
SHA-256: 2fa45c2bd8d3216e0d1da0eac97bef08332ef0caa0e99e3dc3c11e35c2e98a94
font_01_sfnt_off0000e616.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE616 14276 bytes
SHA-256: 2d7af3f072bb016d9b88d448b2d2114c0f23670234bcb25475145f35c5e5cf0c