Malicious PDF — malware analysis report

Static analysis result for SHA-256 98250379648cc745…

MALICIOUS

PDF

77.8 KB Created: 2021-10-05 16:22:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-24
MD5: 709f8edccf6ecfb9458e8fe3f7741075 SHA-1: 7ed3fa5a63d4b8a655de9a26dd447cc371f96d3a SHA-256: 98250379648cc745c1c142d0ccf1969fb40fc50ad467faf44472d5fd82791ae1
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and numerous external URIs, many of which point to compromised websites or disposable hosting, suggesting a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly indicate malicious intent, likely to redirect users to malicious content or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9973

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://irlanc.ru/uplcv?utm_term=solving+logarithmic+equations+and+inequalities+worksheet PDF link annotation
    • https://wrd13.com/force/file/44287730070.pdfIn PDF document text
    • http://asbu.net/uploads/FCK_files/file/xexunosaxifexukoram.pdfIn PDF document text
    • http://lagrupacio.cat/file/29766245036.pdfIn PDF document text
    • http://lifebeachvilla.com/uploads/image/files/27381405485.pdfIn PDF document text
    • http://pwharrison.com/userfiles/file/gevenujepinap.pdfIn PDF document text
    • http://www.sana-anong.com/ckeditor/ckfinder/userfiles2/files/veburoxefiboki.pdfIn PDF document text
    • http://www.performhabitat.fr/bundles/astadmin/js/ckfinder/userfiles/files/wubigadovidomejexotebe.pdfIn PDF document text
    • http://reopen911.info/media/file/86633913984.pdfIn PDF document text
    • http://es-manzokudou.com/yamituki-n/uploads/files/fevatenikevovexubu.pdfIn PDF document text
    • http://licorne-hotel-restaurant.com/userfiles/file/zudajemoz.pdfIn PDF document text
    • http://jamxmpharmatech.com/upload/files/9603031188.pdfIn PDF document text
    • https://stepweystudy.com/ckfinder/userfiles/files/44699031771.pdfIn PDF document text
    • https://projectmine.hu/ckfinder/userfiles/files/mugofuwotagez.pdfIn PDF document text
    • https://abhimaninteriors.com/ckfinder/userfiles/files/kowebizudab.pdfIn PDF document text
    • https://magnettoptan.com/upload/ckfinder/files/74396650111.pdfIn PDF document text
    • https://cakkue.com/contents/files/binimevogi.pdfIn PDF document text
    • http://thuonghieutoancau.vn/uploads/files/82465509194.pdfIn PDF document text
    • http://cl-pub.com/files/files/vukidofoj.pdfIn PDF document text
    • https://mailing.crpm.ch/ck/ckfinder/userfiles/files/sosidu.pdfIn PDF document text
    • http://packamate.com/userfiles/xokexuxatefegavadis.pdfIn PDF document text
    • http://www.iso-clean.fr/wp-content/plugins/formcraft/file-upload/server/content/files/16146819eef0fc---zuzodibilasixo.pdfIn PDF document text
    • http://jamoncup.es/wp-content/plugins/formcraft/file-upload/server/content/files/161474c413b8f2---3366743411.pdfIn PDF document text
    • http://palakkadtourism.in/ckfinder/userfiles/files/52827390627.pdfIn PDF document text
    • http://nnk.gr/wp-content/plugins/formcraft/file-upload/server/content/files/1613424e962d6e---geluxavavurukuluwukuwa.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c832.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC832 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000e049.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE049 11384 bytes
SHA-256: e61bc133d0d35f257e4d4205c509bb2fe532d06bb950ca25de3a728a837ed9fb
font_02_sfnt_off0000fa78.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFA78 18060 bytes
SHA-256: 58b8a9b10a1ed680d73a01addfae4761956180071780e405bfea52885bab4114