Malicious PDF — malware analysis report

Static analysis result for SHA-256 a404ec8e4d14d390…

MALICIOUS

PDF

84.2 KB Created: 2021-08-10 08:54:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-02
MD5: 2b591ca6e827837f5c00a8159141f0d9 SHA-1: 732e21760d00bd3c25f72d8a5e1b0666469bd9f8 SHA-256: a404ec8e4d14d390b65e06aaa64d3d6c94ef746ac058848d20bfdf00c386884d
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was flagged as malicious by ClamAV and an ML classifier. It uses an urgency-based lure. The file embeds a large number of external links characteristic of an SEO link farm, many hosted on compromised CMS upload directories, presents a deceptive download button and contains embedded JavaScript. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9978

Heuristics 9

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://smartmedicaleg.com/wp-content/plugins/formcraft/file-upload/server/content/files/16070a38684d4c---16200675933.pdf In PDF document text
    • http://www.fullmooneye.com/wp-content/plugins/formcraft/file-upload/server/content/files/160751ceea67d3---97358358477.pdfIn PDF document text
    • http://studiofagiani.eu/userfiles/files/81062235819.pdfIn PDF document text
    • https://benchmarktransitions.com/wp-content/plugins/formcraft/file-upload/server/content/files/160731a3ea6ec5---56567144246.pdfIn PDF document text
    • http://hellnocancershow.com/wp-content/plugins/formcraft/file-upload/server/content/files/1610d0d8081c66---xigopolijadevalevosuxovu.pdfIn PDF document text
    • http://giovanniseneca.eu/userfiles/files/6303216963.pdfIn PDF document text
    • http://www.tif.cn/wp-content/plugins/super-forms/uploads/php/files/9b3cde27u8lnn77hdbmff3qt8n/19845257428.pdfIn PDF document text
    • https://memorybg.net/app/templates/js/ckfinder/userfiles/files/36407602291.pdfIn PDF document text
    • https://tiemhoahaibara.com/data/dulieu/files/lutemow.pdfIn PDF document text
    • http://dienmaythanglong.org/uploads/files/80186924478.pdfIn PDF document text
    • https://pt2-turbo-j3t.com/contents//files/rekokidanogisewe.pdfIn PDF document text
    • https://engineeredrepinc.com/wp-content/plugins/super-forms/uploads/php/files/146bab8cae0ba54327cfb9dc8fcf9747/rozevajejesotegewebutofer.pdfIn PDF document text
    • http://www.recetasyconsejos.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a3b02372939---14787750753.pdfIn PDF document text
    • http://steclotildehorton.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160a4aafd1929c---womefofivatolijut.pdfIn PDF document text
    • https://pikewallis.no/wp-content/plugins/formcraft/file-upload/server/content/files/160808999ab247---vovevalasavofivosafi.pdfIn PDF document text
    • http://stroisvias.ru/userfiles/file/73819756528.pdfIn PDF document text
    • https://oferta.lt/i/File/15877949662.pdfIn PDF document text
    • http://clingac.es/d/files/60736781307.pdfIn PDF document text
    • https://realwebguys.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606cfb29e562e---56589865222.pdfIn PDF document text
    • https://299-45.com/CKEdit/upload/files/8439180689.pdfIn PDF document text
    • http://lactopad.com/uploads/files/kizojibizofuj.pdfIn PDF document text
    • http://euro-ex.com/images/blog//file/61632527845.pdfIn PDF document text
    • https://refundsrefunds.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c02e0239cc1---ruwalinazasitubu.pdfIn PDF document text
    • https://angelsstaff.com/uploads/file/fosawewogawe.pdfIn PDF document text
    • http://windcampus.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a5055ec3841---noxolipuwuzexe.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BkSY9tpko7c/uplcv?utm_term=bengali+recipe+book+downloadPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e483.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE483 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000fc9a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFC9A 10792 bytes
SHA-256: 4f94e0a4a3577eee6872a096e0d68a8dfea0fa3ba26f1ce9a95b73874839b366
font_02_sfnt_off00011526.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11526 16588 bytes
SHA-256: 166b03dd38e3b1b82008e45cab410d1e3f0e9a2eac6fbdcefba01823155f4547

Open this report in the interactive analyzer, or submit your own file for analysis.