Malicious PDF — malware analysis report

Static analysis result for SHA-256 9932fd1f15edb430…

MALICIOUS

PDF

88.7 KB Created: 2021-06-30 09:04:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-05
MD5: 4e531a65e9bb350579f39b8fd5a6ae4b SHA-1: df40feff4fd3ffb33ff7bacae4bad70870cf717e SHA-256: 9932fd1f15edb4307fa9af0c94e1fef5dc9de30f0dd869215d95e9e228c65923
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was detected as malicious by ClamAV and an ML classifier. It contains a link farm pointing to compromised WordPress sites, specifically utilizing the formcraft plugin for file uploads. The presence of multiple links on disposable hosting and the use of UTM parameters suggest a phishing or malware distribution campaign. No scripts were extracted, and the document body was unreadable.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9888

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://perfectthesale.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607224c1437b0---logukazujaxexepuxopuba.pdf In PDF document text
    • http://hotelstrack.com/bot/ckfinder/uf/files/latoximesanepabegutareba.pdfIn PDF document text
    • https://marciasmithconsulting.com/wp-content/plugins/super-forms/uploads/php/files/f79753c12310f74fccd865589235788a/99469572997.pdfIn PDF document text
    • http://kystop.com/wp-content/plugins/super-forms/uploads/php/files/rfdcqejhtgpro8tj1jfm3jkl90/purajemekevulugerutenekos.pdfIn PDF document text
    • https://jollytime.ru/wp-content/plugins/super-forms/uploads/php/files/c37e4c17fce5d9aeb824d15c79426e75/nipalamuta.pdfIn PDF document text
    • https://empylean.com/wp-content/plugins/super-forms/uploads/php/files/df0qdov9bpgjmqeda6q9aj1em8/rubagepuf.pdfIn PDF document text
    • http://www.consorcio.edu.pe/wp-content/plugins/formcraft/file-upload/server/content/files/1606ca57441ef4---80525642181.pdfIn PDF document text
    • http://www.adanakursmerkezi.com/wp-content/plugins/formcraft/file-upload/server/content/files/16097f922e63ec---57533786485.pdfIn PDF document text
    • http://altinay-law.com/images/file/wakufifelazuwefu.pdfIn PDF document text
    • http://hccc252.ca/clients/e/e4/e484b38507f190a955b66748903449e1/File/guxaxulinisosojidur.pdfIn PDF document text
    • http://kapalishakti.com/ckfinder/userfiles/files/bekotoruwefesuferivokosin.pdfIn PDF document text
    • https://elitestrategyglobal.com/wp-content/plugins/super-forms/uploads/php/files/6fe00eead243ae99de93ad4c9aa27ad6/koxaruxabalubifigifizanaj.pdfIn PDF document text
    • http://bjoybrands.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a716db21ff4---gorobokojixuxukiro.pdfIn PDF document text
    • http://richardchong.com/userfiles/files/tilas.pdfIn PDF document text
    • https://www.traveltimevipp.com/wp-content/plugins/super-forms/uploads/php/files/a1430fa5cf6a57304c909c769efe09ee/vikobiguwatule.pdfIn PDF document text
    • http://monkey-do.net/userfiles/file/titamegudu.pdfIn PDF document text
    • https://www.arc-welding.co.uk/wp-content/plugins/super-forms/uploads/php/files/37776rtcnar26qnbj24ni6igk7/tedosefisezepuwovasu.pdfIn PDF document text
    • http://gingerwooddesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b6124550346---ginuka.pdfIn PDF document text
    • http://novaserv.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608977a85ec6c---bizafilo.pdfIn PDF document text
    • http://sparkpro.lv/content/file/rezatubemitimakekekutixo.pdfIn PDF document text
    • https://stakeoutllc.com/wp-content/plugins/super-forms/uploads/php/files/1a6bbbaeecaa78f58740571f7e3ffdaa/dobetan.pdfIn PDF document text
    • https://www.parkgest.ch/wp-content/plugins/formcraft/file-upload/server/content/files/160982f8278dc9---27945307981.pdfIn PDF document text
    • https://www.energetisch-therapeut-estie.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1606f9c4d2e12f---wekebefopivofemajegoze.pdfIn PDF document text
    • https://kvkumariajnkvv.org/singhania/downloads/file/zufaviwageleloletova.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/GLLx1DTH0VQ/uplcv?utm_term=jpg+to+pdf+without+white+backgroundPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f6bb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF6BB 11096 bytes
SHA-256: ad6e5072ad81e2cd23a7db474e6925fd064bfe4a0626d4f4a231cc7bca4022c3
font_01_sfnt_off00011035.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11035 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00012847.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12847 18144 bytes
SHA-256: b2e682b9c9a785ea20ef2e89987e30744af80db8cda1ce19f66e700a2a36f98b