Malicious PDF — malware analysis report

Static analysis result for SHA-256 969c50805eb0e91c…

MALICIOUS

PDF

77.6 KB Created: 2021-09-17 15:35:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-16
MD5: 4e9b4004c660ba213d9d856902da1b67 SHA-1: 7a27032c47b10e17d2fa346cdac159eb094b1ac1 SHA-256: 969c50805eb0e91cf9b6616c08a39a1f9f417a2d640e1d850dc32f7eb8da5707
132 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains an embedded JavaScript stream, which is a common technique for executing malicious code within PDF documents. This script likely redirects the user to external URLs, as indicated by the numerous PDF_URI and PDF_SEO_DISPOSABLE_LINK_FARM heuristics. The ClamAV detection further confirms the malicious nature of the file, identifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2910

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cplastik.cz/data/cms/file/ralafixadu.pdf In PDF document text
    • http://littlepearlbooks.in/data/eimages/file/61633721424.pdfIn PDF document text
    • http://gocep.org/data/userfiles/files/17911649453.pdfIn PDF document text
    • http://ashole.hu/UserFiles/File/gogikoramopinulugofogexus.pdfIn PDF document text
    • https://aiwcecckolkata.org/FCKeditor/file/vojakosekenufixonu.pdfIn PDF document text
    • https://iveducentar.com/uploads/assets/file/nilewokugenu.pdfIn PDF document text
    • http://myagreement.com/UserFiles/file/tulamugob.pdfIn PDF document text
    • https://zoldlepes.hu/userfiles/file/97967873032.pdfIn PDF document text
    • http://www.phonefixcomo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613b46ca97c96---99319517495.pdfIn PDF document text
    • http://lexen.ca/userfiles/files/begoliwumesonikekoxesut.pdfIn PDF document text
    • https://citronel.com/userfiles/files/80567876565.pdfIn PDF document text
    • https://agribusiness.pk/wp-content/plugins/formcraft/file-upload/server/content/files/161328faa65c61---rowatopatuwijapixaf.pdfIn PDF document text
    • https://ehbo-oostkapelle.nl/userfiles/file/20679481431.pdfIn PDF document text
    • http://websurin.net/UserFiles/File/19811448923.pdfIn PDF document text
    • http://hebakotb.net/userfiles/file/fomajitadurapogaxowavem.pdfIn PDF document text
    • https://voxel-avocats.fr/uploads/file/In PDF document text
    • https://www.smartfutureexpo.com/ckfinder/userfiles/files/peboxo.pdfIn PDF document text
    • http://pro-group.ru/userfiles/file/sibexizeb.pdfIn PDF document text
    • https://www.idd.no/ckfinder/userfiles/files/rilujakufoteturaguzaxipa.pdfIn PDF document text
    • http://www.martiusstaden.org.br/js/ckfinder/userfiles/files/wavutedewarukat.pdfIn PDF document text
    • http://5percent-design-action.com/upload/users/files/torijuworosaxisalopomegip.pdfIn PDF document text
    • http://1night2day.com/ckupload/files/92984768325.pdfIn PDF document text
    • https://jcmimoveis.com/userfiles/file/41398857322.pdfIn PDF document text
    • http://evevoyance.fr/adh/.-/file/18387817186.pdfIn PDF document text
    • http://vipacademy.org/userfiles/file/12538018099.pdfIn PDF document text
    • https://quanticabtl.com/cms_2018_quantica/sgi_userfiles/userfiles/files/5850070647.pdfIn PDF document text
    • https://ncfouting.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613d9241410d5---wizamikabekavuzagibuvu.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/S30rS-6n6vg/uplcv?utm_term=how+to+restore+thumbnails+on+androidPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dc32.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDC32 10832 bytes
SHA-256: ed1ad60971951a49a5cf21793ceca1c6db0fdaa322c8f0ef3ebf702a61e1643f
font_01_sfnt_off0000f500.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF500 18756 bytes
SHA-256: 9d652e49d0c8cab3014fbb8af7686d6cb15a559678d693b65ff2dcac67917945

Open this report in the interactive analyzer, or submit your own file for analysis.