Malicious PDF — malware analysis report

Static analysis result for SHA-256 a6081dfb3af37c55…

MALICIOUS

PDF

76.9 KB Created: 2021-09-19 22:12:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14
MD5: f8e20a9191696d7b309f7a460d9009d9 SHA-1: b99fae1eb4600192e1eeece1955dee2d9786dd63 SHA-256: a6081dfb3af37c550339a1526296b35dd69199e3dcac1d19f247de5b78c813a2
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, indicating a high likelihood of malicious intent. Heuristics identified it as a link farm, with many URLs pointing to potentially compromised or disposable hosting. The presence of multiple external URIs and a link farm structure suggests the document's primary purpose is to redirect users to malicious websites, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9973

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fourfoods.com/images/files/xadidakusitijotas.pdf In PDF document text
    • https://youkuvpn.com/upload/files/norudifilekele.pdfIn PDF document text
    • http://runhouchem.com/upload/files/xirujenanapogafozolulem.pdfIn PDF document text
    • http://kaztelcom.kz/ckfinder/userfiles/files/64051067146.pdfIn PDF document text
    • http://emanuelmlevin.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/11068965997.pdfIn PDF document text
    • http://sochi-riba.ru/ckfinder/userfiles/files/96092290729.pdfIn PDF document text
    • https://xn--interpeas-r6a.es/upload/files/sobokidutuxozi.pdfIn PDF document text
    • https://officialbacknumber.org/editor_up/81382330565.pdfIn PDF document text
    • https://congchungnguyenlieu.vnpec.xyz/uploads/files/72187326265.pdfIn PDF document text
    • http://denki-shonan.com/uploadsfile/90288282573.pdfIn PDF document text
    • https://www.tahitotfaluovodak.hu/ckfinder/userfiles/files/xitavuwenigovojo.pdfIn PDF document text
    • http://nhatrangpalace.net/app/webroot/upload/files/13758786368.pdfIn PDF document text
    • https://ckmusicdesign.nl/userfiles/file/48812599144.pdfIn PDF document text
    • http://bernardthevenet.fr/ckfinder/userfiles/files/77545390793.pdfIn PDF document text
    • http://moyamoya.center/images/hand_uploaded/files/keguwimemadokumopo.pdfIn PDF document text
    • https://spbmworld.com/anaeter_capital/siteadmin/userfiles/files/gefotazafulexajawororu.pdfIn PDF document text
    • http://spreewaldpension-luebben.de/meineBilderAlbertGrundschule/file/nemopiwekafaj.pdfIn PDF document text
    • http://chokmanee.com/userfiles/file/pitovelotojewoxij.pdfIn PDF document text
    • http://ahkjt.com/upfile/file/widisoz.pdfIn PDF document text
    • http://rosniyom.com/userfiles/files/dixikifidavakabolagudoza.pdfIn PDF document text
    • http://kaufdeinauto.de/wp-content/plugins/formcraft/file-upload/server/content/files/16138832c3c501---lezaxalin.pdfIn PDF document text
    • https://aldea.work/wp-content/plugins/super-forms/uploads/php/files/18038bb87fffb7e6f2b8092e8048b09f/gumozuxuzozuxa.pdfIn PDF document text
    • http://fruitvita.com/files/files/71978156896.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/BvfzZFkJO3s/uplcv?utm_term=minecraft+pe+shaders+mod+android+downloadPDF link annotation
    • https://bxthirteen.wpengine.com/wp-content/plugins/super-forms/uploads/php/files/ec4233e6afd5d82ed16d266bed32fb4e/34641394058.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c748.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC748 10964 bytes
SHA-256: ef57785383fa544c6d61c020f1096b0d4854c414a275685966edf582f7e4722c
font_01_sfnt_off0000e091.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE091 17420 bytes
SHA-256: f2ae7c1480c48c4cb3268310a147be9c21134851a79d806db287318b751a5d1f
font_02_sfnt_off00010da7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10DA7 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1