Malicious PDF — malware analysis report

Static analysis result for SHA-256 a2c8794de014102d…

MALICIOUS

PDF

85.6 KB Created: 2021-06-29 12:10:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-14
MD5: 8a3a90bd16ae52a36ee3be8459bf64de SHA-1: 72f4915c0c1d4f9828831b48546cdcff7f24e579 SHA-256: a2c8794de014102df3e4984d4dcc76b06a1f5fae0151436178c9c1e1b8ce789c
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link

The PDF file was identified as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. Several heuristics point to the document functioning as a link farm, directing users to compromised CMS uploads and disposable hosting sites. The embedded URLs, while numerous, do not provide a clear second-stage payload, suggesting the primary goal is to redirect users to potentially malicious external content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9951

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://norilskgu.ru/userfiles/file/4760434445.pdf In PDF document text
    • http://woonhuislift.info/wp-content/plugins/formcraft/file-upload/server/content/files/160bfd915772d3---46568015556.pdfIn PDF document text
    • http://hellnocancershow.com/wp-content/plugins/formcraft/file-upload/server/content/files/16082404bd450e---zevugajexewakamofilibebu.pdfIn PDF document text
    • https://travelselection.us/wp-content/plugins/formcraft/file-upload/server/content/files/1608e75e6c65ae---38195158929.pdfIn PDF document text
    • http://www.sunarsurdurulebilir.com/wp-content/plugins/super-forms/uploads/php/files/mouf10df2bme939rn5hqmup5r0/galozogewipunibibixeru.pdfIn PDF document text
    • https://capitaleny.com/wp-content/plugins/super-forms/uploads/php/files/8e78298bdcc32c82eaa8c99d4900b4f8/56061206651.pdfIn PDF document text
    • https://mebelpozakazu.ru/wp-content/plugins/super-forms/uploads/php/files/61af55247ce7eb554e5aa7aba0d8dcb7/60999197613.pdfIn PDF document text
    • http://globalquestconsulting.com/userfiles/files/xewulunumiki.pdfIn PDF document text
    • https://serka.com/serka/upload/files/ginarigakopigibof.pdfIn PDF document text
    • https://www.crossfitparamaribo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c7bb8f57849---45370796460.pdfIn PDF document text
    • http://mountmedpharmacy.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1609fa661a0ce4---40403181465.pdfIn PDF document text
    • http://bielwod.com/userfiles/file/zudojinidaxotumepofuk.pdfIn PDF document text
    • http://www.naturapreserved.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ae7ba3efc1e---mijamo.pdfIn PDF document text
    • http://mientrungpetrohotel.com/users/files/68342232963.pdfIn PDF document text
    • http://saludocupacionalpso.com/home/wp-content/plugins/formcraft/file-upload/server/content/files/160784410f2894---88382511563.pdfIn PDF document text
    • http://ekotronic.eu/files/file/76552814767.pdfIn PDF document text
    • http://wecans.net/_UploadFile/Images/file/51667571325.pdfIn PDF document text
    • http://3colorjazz.com/fckeditor/userfiles/image/gobarozapiputajiv.pdfIn PDF document text
    • http://pagyesa.org/userfiles/file/20210609233706.pdfIn PDF document text
    • https://kodeac.com/wp-content/plugins/super-forms/uploads/php/files/vc17ics9hllpvas3mra6n3hj0d/84669789894.pdfIn PDF document text
    • http://www.kreasoft.mx/wp-content/plugins/formcraft/file-upload/server/content/files/160c46dc2d439b---70039835343.pdfIn PDF document text
    • https://wccia-vastu.com/wp-content/plugins/super-forms/uploads/php/files/f766c12ccfa0bb950023d2e5bf5ebe83/95810439842.pdfIn PDF document text
    • https://signaturetowerpune.com/wp-content/plugins/super-forms/uploads/php/files/p6blpqthjlg2op595mebndc3p2/jusukozefeseguruw.pdfIn PDF document text
    • https://funkydrop.shop/wp-content/plugins/super-forms/uploads/php/files/e5cba0f63f517c01e3f7a24e8e6b6779/63206991132.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/FevRqgeaUVY/uplcv?utm_term=5+stages+of+group+development+tuckmanPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e830.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE830 11168 bytes
SHA-256: bce76482466961e7f7e3b199b059f56335578b4e3086d253dba35662bfbd24e8
font_01_sfnt_off00010230.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10230 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00011a42.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11A42 17208 bytes
SHA-256: 3ea0ae8ea365937bf7b98e0de2e7ab86950753ebd5bdc661bacf0630662869a5