Malicious PDF — malware analysis report

Static analysis result for SHA-256 a547753ea267a847…

MALICIOUS

PDF

84.8 KB Created: 2021-06-29 19:48:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 9cb5497006c5c4d0cbc57c22e99241e1 SHA-1: 33e7eb6f051781d9e175ab73c6ca1ed199ca7feb SHA-256: a547753ea267a847368cf5f5fcfdc887ef608c894cdbff9840ae01b9baa85e37
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link farm pointing to compromised WordPress uploads and disposable hosting, disguised as lecture notes or invoices. The ML classifier and ClamAV detection strongly indicate malicious intent, likely to deliver a phishing payload or malware. No scripts were extracted, but the URL structure and heuristic firings suggest a phishing or downloader attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9951

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://medvor.ru/uplcv?utm_term=introduction+to+macroeconomics+lecture+notes+pdf
    • http://fixafilm.se/userfiles/file/mijajizujajetumalo.pdf
    • http://videoacceso.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d9acde7e8e9---40910515077.pdf
    • https://hyosungulf.com/uploads/file/vimirirebarineni.pdf
    • https://thejasmineway.net/wp-content/plugins/super-forms/uploads/php/files/92rfujeth6k1qchbrg2sfn46ku/ziboxox.pdf
    • http://www.aadhar-interior.com/userfiles/file/movugiro.pdf
    • https://www.avenueroadadvertising.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a6250e01f75---vovew.pdf
    • http://lhsclassof1971.com/clients/74120/File/21224297887.pdf
    • http://henrycrawfordreunion.com/clients/1/19/1929e20d1ffebcad6d8b2a659e9c170d/File/buzarap.pdf
    • http://www.majorisinvestimentos.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160a98bbf26054---32247839104.pdf
    • https://performanceltg.com/wp-content/plugins/super-forms/uploads/php/files/5db1be56b3c80c51c8b14f01e76ed416/febineret.pdf
    • https://misionesmedellin2030.com/wp-content/plugins/super-forms/uploads/php/files/3ponbblkn1ihrjp37jdfr14j0u/lekiji.pdf
    • http://www.loockuniformes.com.br/home/wp-content/plugins/formcraft/file-upload/server/content/files/16080094bbb57f---7814873552.pdf
    • https://halobysciton.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609f702fd93a8---50971704538.pdf
    • https://www.prowallpanama.com/wp-content/plugins/super-forms/uploads/php/files/b67bfa452e9b882e1f3652e45721d349/76447187619.pdf
    • http://manufim.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/1607ba9143f44f---pibepo.pdf
    • http://digjamaica.com/app/webroot/files/xupexulinurowusexowin.pdf
    • http://eotp.info/sites/default/files/fck/file/83573477678.pdf
    • http://sahrugs.com/userfiles/file/19085281503.pdf
    • http://www.a-fairys-choice.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a80559a34c7---24213221049.pdf
    • http://almar-bus.pl/userfiles/file/45091407618.pdf
    • https://www.birdandwildlifeteam.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608d022fdeede---40593675155.pdf
    • http://lawcab.ru/wp-content/plugins/formcraft/file-upload/server/content/files/16086da3806cc0---welesologedebog.pdf
    • http://xperion.hu/wp-content/plugins/super-forms/uploads/php/files/6f91ecd73109dbdce5e2b6e3f11fc2d1/zovoduxofuxewimaw.pdf
    • https://infravoip.com/wp-content/plugins/super-forms/uploads/php/files/cd969e070c1856d433810e6f2bc6bcfe/fogefazovumejabulaxox.pdf
    • https://jollytime.ru/wp-content/plugins/super-forms/uploads/php/files/f4648627d337b6b15055f1e4bf096481/towanozomovipidujoketeg.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e77f.bin
0a94ffb7d1cd489ee14c0100c3590f5e2751dbf947b3e33a85dca005deb3702b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE77F 17260 bytes
font_01_sfnt_off000114a8.bin
16221ae17cb100172ad6d36e91cbb49a52ab49ebbd97c60c6a09852878aeddb6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x114A8 10832 bytes
font_02_sfnt_off00012da0.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12DA0 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.