Malicious PDF — malware analysis report

Static analysis result for SHA-256 9ce4c751f28a8663…

MALICIOUS

PDF

86.3 KB Created: 2021-09-09 07:05:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-16
MD5: 0c1db4feb82d95eea184335be2db9d86 SHA-1: 5a410a20168f347be6bdb2f0e4f0ea16f59d4a73 SHA-256: 9ce4c751f28a8663398bdbb2632ba6efa0577d3dd8f3005129c7985f97948f28
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links to compromised websites and a deceptive download button, indicating a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly suggest malicious intent. Although no scripts were directly extracted, the PDF structure and embedded URLs point towards a phishing lure designed to trick users into downloading a malicious payload, likely exploiting a PDF vulnerability.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9905

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://infrive.ru/uplcv?utm_term=vpn+lite+app PDF link annotation
    • http://mitroc.com/userfiles/file/misemupolajo.pdfIn PDF document text
    • http://markfarolaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/mupugerubetevupewiw.pdfIn PDF document text
    • https://przyklejki.pl/userfiles/57841669552.pdfIn PDF document text
    • http://9262895.ru/ckfinder/userfiles/files/93929473408.pdfIn PDF document text
    • http://alvasari.com/wp-content/plugins/formcraft/file-upload/server/content/files/161365c20ca205---bokavivuzupiwimaz.pdfIn PDF document text
    • https://www.babetravelling.com/ckfinder/userfiles2/files/3538609360.pdfIn PDF document text
    • http://quangcongluc.com/upload/files/62186290190.pdfIn PDF document text
    • http://xn--80akazwaeiw.xn--p1ai/editorfiles/file/tububuzerivazajusow.pdfIn PDF document text
    • https://www.denisonlandscaping.com/wp-content/plugins/formcraft/file-upload/server/content/files/161394658cc180---wofosipogo.pdfIn PDF document text
    • http://cpviettin.com/upload/files/mujopaxenupesuwelozus.pdfIn PDF document text
    • http://www.peritaonline.es/ckfinder/userfiles/files/bovifol.pdfIn PDF document text
    • http://dedanskecasinoer.dk/userfiles/file/38169777412.pdfIn PDF document text
    • https://pepsima.biz/files/file/walipugawagil.pdfIn PDF document text
    • https://hongdung.vn/ckeditor/images/files/papolebutuwixoloveme.pdfIn PDF document text
    • http://roomyab.ir/basefile/roomyabir/files/2267350820.pdfIn PDF document text
    • http://gewidor-gmbh.de/uploads/files/20271676223.pdfIn PDF document text
    • http://rainhouse.kr/data/editor/file/4933226133cc4f29348.pdfIn PDF document text
    • http://kaies.net/upfiles/file/28720098307.pdfIn PDF document text
    • http://yatros.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1612f9c28a683c---gojijewunigoviwejaligoge.pdfIn PDF document text
    • https://www.gpaci.org.br/cms/ckfinder/userfiles/files/19898654341.pdfIn PDF document text
    • http://uniontsg96.ru/admin/ckfinder/userfiles/files/lifibolifalim.pdfIn PDF document text
    • https://tranduongauto.com/app/webroot/files/images/pages/files/jemiluruxuditaware.pdfIn PDF document text
    • https://doctmcooper.com/userfiles/files/revezavikuvaxezujezo.pdfIn PDF document text
    • http://kenshopvn.com/uploads/files/38506734351.pdfIn PDF document text
    • https://newsale.linyn.mobi/upload/ckeditor/pages/files/18807345381.pdfIn PDF document text
    • https://bi-kiesabbau.de/cmsimple/images/file/mogudil.pdfIn PDF document text
    • http://grupophi.es/uploads/files/21894276213.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f099.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF099 17312 bytes
SHA-256: be25a5f2c78ee4663b3e6c22eeda0a1ed384870b86017072bb04e189b00808e2
font_01_sfnt_off00011dab.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11DAB 9828 bytes
SHA-256: 6f1f4f3dbd5e7015e2ea3effd42dd99d6c054587b9559fa7f25f629e2fe38c16
font_02_sfnt_off00013356.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13356 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1