Malicious PDF — malware analysis report

Static analysis result for SHA-256 ab1e1fc19b0158b7…

MALICIOUS

PDF

89.7 KB Created: 2021-07-02 04:50:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: 82fc2584dcc1e192f8f40b830f321570 SHA-1: d59ad3fc1c5e903b320b232f142444d6bf0b0f6c SHA-256: ab1e1fc19b0158b77452ad3067812b0bb548c6c89c7c241514eea3efb5c8b4c8
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous links pointing to compromised WordPress sites and other disposable hosting, suggesting it functions as a link farm to redirect users to malicious content. The presence of urgency lures further supports a phishing or scam-related attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9947

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.theagentpipeline.com/wp-content/plugins/formcraft/file-upload/server/content/files/16089ded956759---sabake.pdf In PDF document text
    • http://etre-cheval.fr/Applications/MAMP/htdocs/etre%20cheval/news_pix/file/juzelewuvanukobonemiki.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a7f426c485b---bapipizoviludejovofer.pdfIn PDF document text
    • http://braciszewska-klimek.pl/fck_files/file/11335515173.pdfIn PDF document text
    • https://www.cocochan.com.pk/wp-content/plugins/super-forms/uploads/php/files/529abd464100d03dcc691ecf8ec8ab05/rateletunafulegitef.pdfIn PDF document text
    • https://petroblend.com/wp-content/plugins/formcraft/file-upload/server/content/files/16099f354d0286---nujusabotuluzaterefitig.pdfIn PDF document text
    • http://mahlkoenig.nl/app/webroot/files/userfiles/files/98370198033.pdfIn PDF document text
    • http://gamjagolla.com/uploads/files/wasirenimevo.pdfIn PDF document text
    • https://callhfelectric.com/wp-content/plugins/formcraft/file-upload/server/content/files/16080fc6700f83---jakopivawodagedobirozelon.pdfIn PDF document text
    • http://yangs-ns.com/ckfinder/userfiles/files/20210529210338.pdfIn PDF document text
    • http://mattstergamer.com/wp-content/plugins/super-forms/uploads/php/files/h9kdfa9238f5uluimr57lssdk5/15960130840.pdfIn PDF document text
    • http://aihyang.com/userfiles/file/fazovefigu.pdfIn PDF document text
    • http://structurecreative.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609b6dae01715---negibojeforesizetufoluw.pdfIn PDF document text
    • https://www.visitrwanda.com/wp-content/plugins/super-forms/uploads/php/files/400b18f23a0755f05bec570188e05166/38353665153.pdfIn PDF document text
    • https://webhostmurah.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c246cb76850---65150085413.pdfIn PDF document text
    • http://3duct.com/wp-content/plugins/formcraft/file-upload/server/content/files/16096d7fd26119---lalusekut.pdfIn PDF document text
    • https://www.ciabrini-immobilier.com/wp-content/plugins/super-forms/uploads/php/files/qc50pg9la1skar2v7s03c2uljp/14280953847.pdfIn PDF document text
    • http://seanbittinger.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/43585242119.pdfIn PDF document text
    • https://alkirbilaw.com/userfiles/files/mubarusisaxa.pdfIn PDF document text
    • http://dodici12.ru/wp-content/plugins/super-forms/uploads/php/files/s6dda3k17a339i2tnd1i9i7if6/81726873786.pdfIn PDF document text
    • http://www.klpreschool.com/wp-content/plugins/formcraft/file-upload/server/content/files/160825fd741fad---tukoxixidona.pdfIn PDF document text
    • https://cradlegold.com/wp-content/plugins/super-forms/uploads/php/files/ur49rai09voahh7fqcj9msh22d/koniwe.pdfIn PDF document text
    • http://asalsold.com/wp-content/plugins/formcraft/file-upload/server/content/files/160771e9e01b0c---23280260965.pdfIn PDF document text
    • http://hytechplus.com/userfiles/file/54489325067.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/3CAf4wW3hvY/uplcv?utm_term=downer+cow+syndrome+treatment+pdfPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f7f5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF7F5 10844 bytes
SHA-256: 2c4008b077e0309c88552858a2c1f76d8ed4c403ae034c7ba50891c87c0bd114
font_01_sfnt_off0001111b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1111B 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off0001292d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1292D 17800 bytes
SHA-256: 7ec8646415a0ecb062765e0e0c28515ab4afbcaf60bbe2e396e679178c932011