Malicious PDF — malware analysis report

Static analysis result for SHA-256 aef071cec451f613…

MALICIOUS

PDF

90.3 KB Created: 2021-06-29 11:10:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: fd65969c8e4be9116d31ffe075f213c9 SHA-1: e97758f43fe1a314139dceb48ba718f2e520ab01 SHA-256: aef071cec451f6139e87622465c02f7f4dee2060b8e8b8cbcfed3d74d14e8542
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous external URIs, many pointing to compromised WordPress sites or disposable hosting, suggesting it functions as a link farm to distribute malicious content. The presence of PDF_SEO_DISPOSABLE_LINK_FARM and PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM heuristics further supports this, indicating a sophisticated effort to obscure the true destination of the links. No scripts were extracted, but the overall structure and URL findings point to a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9822

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://chcial.ru/uplcv?utm_term=dare+you+to+katie+mcgarry+pdf
    • http://wignaccent.com/FCKeditor_2.6.3/userimages/file/20210626004503.pdf
    • https://jdbailbonds.com/wp-content/plugins/super-forms/uploads/php/files/1cbedc9538b039599d09d3963a9dedf2/33637522107.pdf
    • https://proff-doors.ru/wp-content/plugins/super-forms/uploads/php/files/293b576c4350cdb543b5ddf05be6b3dd/21688021558.pdf
    • http://ptk-astana.kz/wp-content/plugins/super-forms/uploads/php/files/3d59396fce4af8dcebed9e2c2a3ae80c/63993353680.pdf
    • https://agribusiness.pk/wp-content/plugins/formcraft/file-upload/server/content/files/1608ab07d3ad6f---96783043293.pdf
    • http://etcad.net/np/upfile/file/kujixutoriv.pdf
    • https://www.techsrollout.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c011c1789e3---pigusagev.pdf
    • http://secretlove.ch/ckfinder/userfiles/files/86584218275.pdf
    • http://alpha-th.com/userfiles/file/48746438531.pdf
    • https://artlabjo.com/userfiles/file/50393455073.pdf
    • https://mls.lighting/wp-content/plugins/super-forms/uploads/php/files/bbe5ca1d1d99e64da53385aabb9df0eb/dopizorigatuwo.pdf
    • https://xn--78-6kce7dfhb9dwb.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/deb08036368b045a3adab4a2de36bd26/6836098514.pdf
    • https://1sis.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609887bba306c---guzujekefaxuzav.pdf
    • http://birzebbugastpetersfc.com/files/file/13335869542.pdf
    • http://studiolegalezullo.eu/userfiles/files/doxusozetijetu.pdf
    • http://deauville.ru/files/file/89993215293.pdf
    • https://www.lamuccacompany.com/wp-content/plugins/super-forms/uploads/php/files/e36dc6a4e2293901323d2175d2d1fb07/fefibaxumokumiwi.pdf
    • http://findmecakes.com/userfiles/files/90572035706.pdf
    • http://jedwines.com/cmsCart//upload/file/15607346578.pdf
    • http://prattsofdouds.com/clients/d/d8/d85aab9f4bcbae69c8358f7a9990a0b1/File/29622104324.pdf
    • https://vinisfarm.com/wp-content/plugins/super-forms/uploads/php/files/1241ddadd64b060a8ae18198f9c4ef98/17614454847.pdf
    • https://kvgrup.com.ua/wp-content/plugins/formcraft/file-upload/server/content/files/1609fe44dbdb16---85957538145.pdf
    • https://sharidendesignasphalt.com/wp-content/plugins/super-forms/uploads/php/files/c2a6cf84d6f2ef88797746881e8f719e/bosoj.pdf
    • https://flvirginia.com/wp-content/plugins/super-forms/uploads/php/files/7c006dee5646bc2b4fded7f89ca84bd4/zesamigoxo.pdf
    • https://livingcircles.ch/wp-content/plugins/formcraft/file-upload/server/content/files/16097f61133188---49175377407.pdf
    • https://www.booster-p.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e5412662bb---35908627867.pdf
    • https://markzone.az/wp-content/plugins/super-forms/uploads/php/files/3tthkqbta7tkatelt8rjme47ap/zoxiga.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fc02.bin
4a00c7ac817b13981af2a47a9f39aad242f98b410b05f0afd1290c83df41aad9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC02 17960 bytes
font_01_sfnt_off00012a60.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A60 16792 bytes
font_02_sfnt_off00014277.bin
4f37a724f5036a9354dc582076c9d4428af93c11e92aee80cf5a2365504ffd6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14277 10952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.