Malicious PDF — malware analysis report

Static analysis result for SHA-256 a4ae6dc22653f450…

MALICIOUS

PDF

101.3 KB Created: 2021-08-02 06:03:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 48f891ac02f6bbab06ef43a2fa9cd306 SHA-1: 4e23f4d68628238d4d76c56508bf19a423f6074b SHA-256: a4ae6dc22653f450febb5c27f5e990f8fcce73d33af31bd39d5e831c56473be8
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a PDF file flagged by ClamAV as a phishing trojan. It contains numerous links pointing to compromised WordPress sites and IP addresses, indicating a link farm designed to redirect users to malicious content. The ML classifier also strongly indicated maliciousness. No scripts were extracted, but the PDF structure and URI heuristics suggest it's a lure to a compromised site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9853

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bywuf.org/upload/editor/files/gogojojavavewosax.pdf
    • http://bptramptour.pl/files/file/modiled.pdf
    • https://www.allterra.group/wp-content/plugins/super-forms/uploads/php/files/274fcf5db07d8bbc4ebac031fd0289c2/rowol.pdf
    • https://0900107678.com/upload/file/50727999602.pdf
    • http://www.leesii.com/wp-content/plugins/formcraft/file-upload/server/content/files/160baf5a29e130---96171110526.pdf
    • http://anhuifan.com/upload_fck/file/2021-4-29/20210429142932579642.pdf
    • http://www.mostex.sk/files/articles/file/gofoxesogafiwixofik.pdf
    • https://www.andeanskyline.com/wp-content/plugins/formcraft/file-upload/server/content/files/160e437a7a028c---jolix.pdf
    • http://wsp.pl/userfiles/file/minumimaniwetakol.pdf
    • https://rffsev.ru/wp-content/plugins/super-forms/uploads/php/files/9760227ba202d406d347fd31eadde20f/belenanibari.pdf
    • https://gift-edu.ru/wp-content/plugins/super-forms/uploads/php/files/07842dde7333a043ac525c0fc7404931/tibozasekunadirozetorosen.pdf
    • http://www.saraviation.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b98036d24de---99596447211.pdf
    • http://esipro.fr/userfiles/file/95846103067.pdf
    • http://remobudostol.pl/pliki/leluxoxit.pdf
    • http://annandale1963.com/clients/69704/File/20181306248.pdf
    • https://gastriklandsbf.se/UserFiles/files/pufizijofefixuted.pdf
    • https://eyestech.in/wp-content/plugins/super-forms/uploads/php/files/aqng7t8t8t1r2p0g99561f1qp3/sederusinatuperelimozotat.pdf
    • http://zhengfutz.com/v15/Upload/file/20217555309460.pdf
    • http://pavcargo.ru/wp-content/plugins/super-forms/uploads/php/files/18818ff9d0e6de68da0ce58685dc5f77/xanajonamewiruxi.pdf
    • http://www.investing-in-women.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609edb1b4ea84---xokoduludedex.pdf
    • https://gamletaarnhuset.no/wp-content/plugins/formcraft/file-upload/server/content/files/16076eea1f4088---wexed.pdf
    • http://79.170.40.182/boothtastic.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608502af3b92d---61085371563.pdf
    • https://limpjet.com.br/wp-content/plugins/super-forms/uploads/php/files/0f35efebb327426933a74380a9132b53/54083241017.pdf
    • https://majorsagilekvaros.hu/uploads/file/kawadupiv.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/ngfLrbzwjls/uplcv?utm_term=the+equalizer+movie+dailymotion
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001057a.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1057A 16792 bytes
font_01_sfnt_off00011d91.bin
af9a605629ae23296fddd7f0a070c2ee10af13445dd0f6e3a8e1a0e8a187c467		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D91 10792 bytes
font_02_sfnt_off0001360d.bin
d7cd55395ca8c5b3ded2e9f44cdcfdf374181edfe397b2f4d7fa01d4c9eac515		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1360D 16280 bytes
font_03_sfnt_off00014c25.bin
e56bba586f25b7bb331306cce9154593ee2e022724dfd3cbe2c17502343e7eeb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14C25 1784 bytes
font_04_sfnt_off00015486.bin
1e93b6801832deb9024ee07f18ddef6df3c40c696d87e05e5e843c9888463677		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15486 18408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.