Malicious PDF — malware analysis report

Static analysis result for SHA-256 9dc2345ba84937bb…

MALICIOUS

PDF

96.4 KB Created: 2021-07-28 05:50:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: d8db8b9c4c935ae3295268ef96db273f SHA-1: a0ab370975f9a5f451612a12d849ad9f7034b124 SHA-256: 9dc2345ba84937bb09a4455b67e5faa63e2ba17bf599bed465dab2b34c9a6273
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was identified as malicious by ML classifiers and ClamAV, with the specific detection 'Pdf.Phishing.Trojan-d2568dad23a94d95'. The file functions as a link farm, containing numerous URLs pointing to potentially compromised WordPress sites. These sites, in turn, host other PDF files, suggesting a multi-stage attack designed to deliver phishing content or further malware. The presence of multiple distinct hosts and the use of 'utm_term' parameters indicate an attempt to obscure the true malicious intent and potentially leverage SEO tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9979

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://sidexsideaudio.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e4beed9d0e---lamato.pdf
    • http://www.hcibatiment.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160a7a8317c515---86790243576.pdf
    • https://www.colours-of.com/wp-content/plugins/super-forms/uploads/php/files/brubi0obdmmh17hj603sdnvhe6/41161486228.pdf
    • http://diplomat2014.ru/ckfinder/userfiles/files/wamugus.pdf
    • https://realimpacto.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160c58632ccc59---22885754967.pdf
    • http://melissajacksonmd.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a93e14dcc31---12810671579.pdf
    • https://agsposure.org/wp-content/plugins/super-forms/uploads/php/files/fcbfc23d36e948983f725d59493769e8/39729972645.pdf
    • https://audreyheselmans.com/_files/file/mubiwu.pdf
    • https://matskaren.se/anvandarbilder/203/files/95624721134.pdf
    • https://www.litesourcenc.com/wp-content/plugins/super-forms/uploads/php/files/14a6ac03d265c3ac893f48d30059741d/31498172359.pdf
    • https://vgi-vn.vn/app/webroot/img/files/zirofonepidalegifipe.pdf
    • http://opalsolar.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160712782d12b4---8273029458.pdf
    • http://www.saraviation.com/wp-content/plugins/formcraft/file-upload/server/content/files/160e223175143b---31666717976.pdf
    • https://www.infratechgroep.nl/wp-content/plugins/super-forms/uploads/php/files/3576f774c25dcc67c2a0d377af359285/wanirariduwexosezu.pdf
    • https://benchmarktransitions.com/wp-content/plugins/formcraft/file-upload/server/content/files/160714752a2412---80187776837.pdf
    • https://aldea.work/wp-content/plugins/super-forms/uploads/php/files/34f541b53e110dc00057db2d658f8e6b/kilaviripimu.pdf
    • https://lescourailleurs.com/upload/editor/file/60937282531.pdf
    • http://grupposcorcia.it/userfiles/files/tetakikekizegug.pdf
    • http://counterreaction.net/wp-content/plugins/formcraft/file-upload/server/content/files/160c6f5147f78d---wukovojazifirebokakafoza.pdf
    • https://nam.it/wp-content/plugins/formcraft/file-upload/server/content/files/160b94a1eab7ab---31422366156.pdf
    • http://hatowo.com/app/webroot/uploads/files/figivijulimadu.pdf
    • https://mandalaconfeccao.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1609e028c8337f---12228208099.pdf
    • http://kirks-pool.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c9a00ad9adc---74428508637.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/GLLx1DTH0VQ/uplcv?utm_term=pocketband+pro+apk
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0001191c.bin
df30be004109806899f2dec04d0b56c3b615577eaa8af7f8e0c287ad3a95aa82		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1191C 19880 bytes
font_00_sfnt_off0000e974.bin
1807fc493894507644c336b1c88b49242c6be5126349bca28c2142e478094600		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE974 10436 bytes
font_01_sfnt_off0001010b.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1010B 16792 bytes
font_03_sfnt_off00013b13.bin
124b336f973e4603e57fe036269403e390e2c40f865e70d97de719ba7583b89a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13B13 21452 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.