Malicious PDF — malware analysis report

Static analysis result for SHA-256 b09f406694d821cd…

MALICIOUS

PDF

68.8 KB Created: 2021-09-06 20:09:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-05
MD5: 330884e8f758b53fab9fea0c0812b693 SHA-1: 7f1bb0caf5c102da19e099d55651f5e933bbed12 SHA-256: b09f406694d821cd0057615da51d1bc54739f1c9a396fb28495d12ae2c14484a
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF contains embedded JavaScript and numerous external URIs, many pointing to compromised CMS uploads or disposable hosting, indicating a link farm designed to redirect users to malicious sites. The ClamAV detection and ML classifier strongly suggest malicious intent, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9944

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://infrive.ru/uplcv?utm_term=funmilayo+ransome+kuti+pdf PDF link annotation
    • https://chetanaus.org/bheru/uploadfiles/file/31764433847.pdfIn PDF document text
    • http://cabini.it/userfiles/files/kutuwirurelatume.pdfIn PDF document text
    • https://tocgia247.com/wp-content/plugins/super-forms/uploads/php/files/1sofm7887vovth6a57l126dmi1/94693800059.pdfIn PDF document text
    • https://amezdigital.com/wp-content/plugins/super-forms/uploads/php/files/8737b65922d190cfae365c3faa16fdce/41782864231.pdfIn PDF document text
    • http://www.empresasdelimpeza.info/wp-content/plugins/formcraft/file-upload/server/content/files/1607611b548f1e---wujabobuvajulage.pdfIn PDF document text
    • http://recamonde.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1611e35816758c---52039848842.pdfIn PDF document text
    • http://ijdssymposium.eu/upload/35047215193.pdfIn PDF document text
    • https://www.glasswindowequipment.com/wp-content/plugins/super-forms/uploads/php/files/d4581d5911ebbe3b748b83124fbad810/77431760274.pdfIn PDF document text
    • https://bykevin.com/wp-content/plugins/super-forms/uploads/php/files/674c4f51ad47c3ed005dab869116a558/56280592321.pdfIn PDF document text
    • http://cps-mbstu.edu.bd/app/webroot/js/ckfinder/userfiles/files/68489085827.pdfIn PDF document text
    • https://www.justgym.co.za/wp-content/plugins/super-forms/uploads/php/files/i6dktd8grpmtsnmcduuof3qdr9/xofunogoporumomuwudawe.pdfIn PDF document text
    • http://morebricks.com/ckfinder/userfiles/files/jewop.pdfIn PDF document text
    • https://afanasyev-design.ru/wp-content/plugins/super-forms/uploads/php/files/3735b02b0f389f6220f881a670179ffe/gajepatarojokiw.pdfIn PDF document text
    • http://tdfinalists.ca/clients/43449/File/27326805528.pdfIn PDF document text
    • http://omgmediatank.com/userfiles/files/10636445844.pdfIn PDF document text
    • https://alakharia.com/public_html/userfiles/file/18953931550.pdfIn PDF document text
    • http://xn--b1ahhafccpgkb2bxo.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/5eba922db5b48fe5e8389f47fdc07eae/41101097646.pdfIn PDF document text
    • http://2016montemayorreunion.com/clients/e/e5/e530e98a7ee505477716bae2fe71cdef/File/56286094339.pdfIn PDF document text
    • http://apsons.eu/files/file/motudivotiwelemofopino.pdfIn PDF document text
    • http://trivio.it/userfiles/files/97915124296.pdfIn PDF document text
    • https://fmpride.com/wp-content/plugins/super-forms/uploads/php/files/bc85b36b36762c5b4a57bff33274670f/38978531196.pdfIn PDF document text
    • http://kirks-pool.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a6d968c19bd---71464993685.pdfIn PDF document text
    • https://vresponse.net/userfiles/file/20918959072.pdfIn PDF document text
    • https://kantankacreative.com/wp-content/plugins/super-forms/uploads/php/files/b15454a57c9d1e7e93ae6a44101b7944/tulutolivefiwuwukif.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b567.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB567 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000cd7e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCD7E 10940 bytes
SHA-256: 158d8d0ec07213ffff40e312c942f57f16f44fb57702fc9c43648ac65ff4fd23
font_02_sfnt_off0000e6d4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE6D4 14844 bytes
SHA-256: 1c1c2cf8cf7803d9dcf207b8e9d7fa617288e7ce57d2810e4c82cad9f8f84abf