Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa8d75510ac71209…

MALICIOUS

PDF

215.9 KB Created: 2021-06-26 12:15:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-13
MD5: f6f32e4af35e5dcaaa09dc48204854a0 SHA-1: ff49c40925a0cde5989703c59776e412a81a3ede SHA-256: aa8d75510ac712090e40fbc947978273dc2fb88b559e06a53eedd031a208165d
166 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristics indicate it contains links to compromised WordPress upload directories and an SEO redirector, suggesting a phishing or malware distribution lure. Although no scripts were explicitly extracted, the PDF structure and embedded URLs point towards an attempt to redirect the user to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9685

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://coretry.ru/uplcv?utm_term=play+sound+effects+through+discord PDF link annotation
    • https://riverasphotovideo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160771975818a3---14878062933.pdfIn PDF document text
    • https://www.modianodesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b7e7b1a9b79---bujojelozozunazobe.pdfIn PDF document text
    • http://aarogyamedico.com/userfiles/file/68454090716.pdfIn PDF document text
    • http://caribsplash.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607726442965f---56180510861.pdfIn PDF document text
    • http://uleshuzatshop.hu/files/file/55687903617.pdfIn PDF document text
    • http://kraljicabih.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b5cd71aaf7b---880793086.pdfIn PDF document text
    • http://jshtextile.com/UserFiles/file///14916548513.pdfIn PDF document text
    • http://cn-daomeng.com/upload/userfiles/files/c26d2ab60e965ab9726ac76184504436.pdfIn PDF document text
    • http://aire-limpio.com/img/editor/file/mifunovepiwidosajupebo.pdfIn PDF document text
    • http://orderleesushi.com/uploads/files/gilasijor.pdfIn PDF document text
    • https://www.grecosalesinternational.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607a0cc978b02---nupejapegotajelufap.pdfIn PDF document text
    • http://volamtuyetthe.com/userfiles/file/26736658120.pdfIn PDF document text
    • http://studiosimonepantaleo.it/userfiles/files/tatexufixeviv.pdfIn PDF document text
    • https://mfdesign.hu/files/file/vinamefoxol.pdfIn PDF document text
    • http://smartmedicaleg.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072e564dafbb---68967014557.pdfIn PDF document text
    • http://maybomchuachay24h.com/Images_upload/files/54946800147.pdfIn PDF document text
    • http://op-gold.com/ck_image//files/rufoma.pdfIn PDF document text
    • http://iideree.org/wp-content/plugins/formcraft/file-upload/server/content/files/1606f026e76edc---jinusalonapekipifi.pdfIn PDF document text
    • http://www.kreasoft.mx/wp-content/plugins/formcraft/file-upload/server/content/files/160a44b9c40e2e---56763393210.pdfIn PDF document text
    • http://www.colegiometa.net/home/wp-content/plugins/formcraft/file-upload/server/content/files/160a5f93196aba---67486765821.pdfIn PDF document text
    • http://www.tecnotrefg.it/wp-content/plugins/formcraft/file-upload/server/content/files/160a5b2038f856---dizudekepexi.pdfIn PDF document text
    • https://www.icslights.com/wp-content/plugins/super-forms/uploads/php/files/3150b13d104a955b42fa5dfc7aecc02e/44662505080.pdfIn PDF document text
    • https://pathakpharma.in/singhania/downloads/file/41911238341.pdfIn PDF document text
    • http://lbs.ac.at/wp-content/plugins/super-forms/uploads/php/files/u973i2b0hqq85n03kdonkg032p/31226371565.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002da74.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2DA74 16232 bytes
SHA-256: bf3ac2bbc5511ca59b022801f68684aa2b8ae7661b1a55c6866fed5ae8d27d0d
font_01_sfnt_off0002f057.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2F057 10968 bytes
SHA-256: b8241550f17be26fa2a42ac8fed8ba128f8045c135aafd066ac60d3410aad454
font_02_sfnt_off0003099c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3099C 18044 bytes
SHA-256: c95f4e835e315676ddc762e964f0e8ee757378f225d8df7baa2037fd6c1206fd
font_03_sfnt_off000338c8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x338C8 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1