Malicious PDF — malware analysis report

Static analysis result for SHA-256 ac11c7dea22fbb05…

MALICIOUS

PDF

77.4 KB Created: 2021-08-22 03:17:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: edb9237f2e228425e34b4f1621f2cd08 SHA-1: d8373708c1027ae044f50edc6c53b3b3c7dbba5e SHA-256: ac11c7dea22fbb05a57a1e210ee60f03bc7a1457aa4e4acd5e2b7c3a637b1330
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains numerous links to external websites, many hosted on disposable domains or compromised CMS uploads, suggesting a link farm or phishing lure. The presence of embedded URLs and the PDF_SEO_DISPOSABLE_LINK_FARM heuristic further support the attack pattern of directing users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9885

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stonebreaker.at/nerewurifonugo.pdf In PDF document text
    • http://sklepjola.pl/userfiles/file/bedemojikonupubamet.pdfIn PDF document text
    • http://webs123.com/userfiles/file/25156352491.pdfIn PDF document text
    • http://www.jesuseslaroca.org/wp-content/plugins/formcraft/file-upload/server/content/files/160d283f1c37af---zaweworexixuvokavatixudef.pdfIn PDF document text
    • https://polinagerz.ru/wp-content/plugins/super-forms/uploads/php/files/i79ra7teg3mdpp0b4lip9a2dvc/zisudijifokivitu.pdfIn PDF document text
    • https://maydongy.com/wp-content/plugins/super-forms/uploads/php/files/toh44k9use6perb7l50n9m2cq0/22782186319.pdfIn PDF document text
    • https://webmenuplus.com/images/file/mogawidisojinaje.pdfIn PDF document text
    • https://www.businesswatchguardingservices.co.uk/wp-content/plugins/super-forms/uploads/php/files/cdehigr2h8f67e2lip09v32ha7/22658815594.pdfIn PDF document text
    • https://www.skyline-recruiting.com/wp-content/plugins/super-forms/uploads/php/files/763df7910cf78e3d7c9715a8a92eeef7/zobikamevetiru.pdfIn PDF document text
    • http://mintaialuminum.com/d/files/minazebufujuva.pdfIn PDF document text
    • http://smart-ventures.ch/upload/Editor_Images/files/12691021515.pdfIn PDF document text
    • http://www.lentilles-progressives.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1608100d6ce795---12744893305.pdfIn PDF document text
    • http://www.amedna.com/userfiles/files/67422815200.pdfIn PDF document text
    • http://atdawnwelift.com/userfiles/file/57226279460.pdfIn PDF document text
    • https://action-roofing.com/wp-content/plugins/super-forms/uploads/php/files/411fd44eb8158a35afdd9cbe4c0727d5/fipigegolarigokode.pdfIn PDF document text
    • https://goldenparadisestsimons.com/wp-content/plugins/super-forms/uploads/php/files/4966148cd0829a1ef34656765b010360/55164871508.pdfIn PDF document text
    • http://freemansphotography.com/wp-content/plugins/formcraft/file-upload/server/content/files/1611705a7a5126---38453363787.pdfIn PDF document text
    • https://boldvision.tv/wp-content/plugins/formcraft/file-upload/server/content/files/1609db0e098dc9---36667642800.pdfIn PDF document text
    • https://brusroom.com/wp-content/plugins/super-forms/uploads/php/files/1245a97c3a092e4a9fb9c9d19c0a881b/13038223499.pdfIn PDF document text
    • http://studiopetrilli.it/userfiles/files/gakobe.pdfIn PDF document text
    • http://www.bestlifepolicy.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160c0dd19d70ba---87069833857.pdfIn PDF document text
    • https://coloreverything.love/wp-content/plugins/super-forms/uploads/php/files/7060155e1d2ae39ec467ed658f9c4574/58952141088.pdfIn PDF document text
    • https://storage-in-motion.com/wp-content/plugins/formcraft/file-upload/server/content/files/16105939956eaf---nijebajepise.pdfIn PDF document text
    • http://caacoding.net/wp-content/plugins/formcraft/file-upload/server/content/files/16089eb42cf49b---femodokulurujak.pdfIn PDF document text
    • http://jeugdopdewetenschapsagenda.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160b5ad0e83793---kojiparedixezugodedofinor.pdfIn PDF document text
    • https://www.costaverde.it/wp-content/plugins/formcraft/file-upload/server/content/files/160848bbd38220---rajav.pdfIn PDF document text
    • http://fgosvo.ru/files/files/39576140106.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/cv9VXjIrmdE/uplcv?utm_term=2+step+equations+worksheet+8th+gradePDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c7f1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC7F1 11280 bytes
SHA-256: 462a73ee62d651320f5502dcb97aee5a02cbf25fa3f816191e72d98fc3175da8
font_01_sfnt_off0000e1f9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE1F9 16940 bytes
SHA-256: 02f6d83e7e221a871ef627248f6d651d371cbc828bdc6bb8b2c69a2d9c2d3160
font_02_sfnt_off00010e55.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10E55 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.