Malicious PDF — malware analysis report

Static analysis result for SHA-256 a009a6a9ebd5311a…

MALICIOUS

PDF

87.9 KB Created: 2021-07-17 04:03:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14
MD5: b0be49b54e20f64c77b50fa675e27d82 SHA-1: f4ae4e3d9626c2eefd3d0a013c437b6daa2bd385 SHA-256: a009a6a9ebd5311a2fc38e31f97300bad1e6e9c78c8ec13eb663a9b7ac4bf7ed
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. The heuristics suggest it functions as a link farm, potentially leading to further malicious content or scams, and specifically mentions a callback phishing lure. While no scripts were extracted, the structure and URL patterns are consistent with documents designed to trick users into initiating contact for fraudulent purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9835

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://photographybynami.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609b9847a0ef1---40252732684.pdf In PDF document text
    • https://dukra.sk/editor_uploads/files/15432599174.pdfIn PDF document text
    • http://artside.org/data/temp/file/tasofo.pdfIn PDF document text
    • https://www.msolartop.cz/wp-content/plugins/formcraft/file-upload/server/content/files/1609320c9a6752---31002740802.pdfIn PDF document text
    • https://omomediacion.com/wp-content/plugins/super-forms/uploads/php/files/fb0cf2cd2d9283302e0e3b19a3935339/doreduwuxomozotapijenegop.pdfIn PDF document text
    • https://xn--80aaa1anac6cg.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/22d574bb989492db6894bfe1fe735bf8/bajobajakep.pdfIn PDF document text
    • http://woonhuislift.info/wp-content/plugins/formcraft/file-upload/server/content/files/1607932ac48299---47554116210.pdfIn PDF document text
    • https://ceilford.org/wp-content/plugins/super-forms/uploads/php/files/8d6af6f1eca0d1c4c938ae108f67bb8f/18527371704.pdfIn PDF document text
    • http://edelstar-mos.ru/files/roxesekemomexodutulolugav.pdfIn PDF document text
    • http://lideparts.com/userfiles/file/1621658496.pdfIn PDF document text
    • https://kuechentreff-schmid.de/wp-content/plugins/super-forms/uploads/php/files/1nr0b2v8lfcefldfb76tr61dpb/xifumezimesavilamanaluvon.pdfIn PDF document text
    • http://goldartline.ua/userfiles/file/89258924231.pdfIn PDF document text
    • http://www.loicadesacavem.pt/wp-content/plugins/formcraft/file-upload/server/content/files/160a0a2fb32c10---72541034143.pdfIn PDF document text
    • https://www.allterra.group/wp-content/plugins/super-forms/uploads/php/files/9c0055eda02f61d39a40ddf79c46f3df/88971803864.pdfIn PDF document text
    • https://controlcert.se/wp-content/plugins/formcraft/file-upload/server/content/files/1608987d1729ad---dagopabalimugajawevu.pdfIn PDF document text
    • https://festival-bg.com/media/ckuploads/files/fogodaxalapinoxus.pdfIn PDF document text
    • http://banphimchuot.com/userfiles/file/80273109169.pdfIn PDF document text
    • https://directprocessors.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ca4abb5fc71---reles.pdfIn PDF document text
    • https://studio45.live/wp-content/plugins/super-forms/uploads/php/files/cfs6cqi373kmfa0uf4k19k3nhi/28785734182.pdfIn PDF document text
    • https://pinotcar.com/wp-content/plugins/super-forms/uploads/php/files/7085b70caba327d31892dca084209cd8/gulewevove.pdfIn PDF document text
    • http://kotolantopeni.cz/file/suwaxi.pdfIn PDF document text
    • http://chrisdepanneservices.fr/Sites/cds/files/mikegilimowag.pdfIn PDF document text
    • https://chpcentre.com/files/file/94636439533.pdfIn PDF document text
    • https://naseeha.org/wp-content/plugins/super-forms/uploads/php/files/b50ce9d3a77be6389cd3fdb51179e103/bobovufanek.pdfIn PDF document text
    • http://for-rent-antwerp.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a16bef99502---ganufug.pdfIn PDF document text
    • http://julieesteban.com/wp-content/plugins/formcraft/file-upload/server/content/files/16098f57828469---bukekenexigafotodi.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/BvfzZFkJO3s/uplcv?utm_term=i+have+a+misdemeanorPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f745.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF745 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off00010f57.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10F57 16792 bytes
SHA-256: 3e8059d20f7fcceb30a8170de41133352937097ef72edf17964dfa70202e062b
font_02_sfnt_off00013aff.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13AFF 10388 bytes
SHA-256: 3e155805376d29ba34634cdfbbed5dcb437a3838f4d5bde3ca28a2f40a22c21a