Malicious PDF — malware analysis report

Static analysis result for SHA-256 b185791653f4f620…

MALICIOUS

PDF

97.1 KB Created: 2021-06-27 03:21:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 489f90e80d68abefe300b5da3d37c1e4 SHA-1: 13fc6d40c1875ab1b62a9fb325571e152bfb4cb9 SHA-256: b185791653f4f620cc79aaf83f8a935eb8437bf410321f518f5c46e8fd56ed5d
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a large number of external URIs and is identified as a link farm hosted on disposable domains, a common tactic for phishing and malware distribution. ClamAV detection and ML classification further support its malicious nature. The document body is heavily obfuscated, preventing analysis of specific user-facing lures.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9747

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://smidgel.ru/uplcv?utm_term=ford+fastback+1968
    • https://oddluzanie.net/userfiles/file/fofexazen.pdf
    • http://workcoop.org/fckeditor/userimages/file/20210607141521.pdf
    • https://martybermanassociates.com/wp-content/plugins/super-forms/uploads/php/files/a9607f28b979a2ea7889429021961bdd/72854907320.pdf
    • https://chief-moving.com/editor_upload/file/dusapadumiwo.pdf
    • http://www.whirlpool-beachcomber.at/wp-content/plugins/formcraft/file-upload/server/content/files/160c8a3b63f69e---17867678218.pdf
    • https://dezsredstvompx.ru/wp-content/plugins/super-forms/uploads/php/files/9e0c6d4dedc26027c9966a705569cf2f/57035286265.pdf
    • https://bokseinstituttet.dk/wp-content/plugins/formcraft/file-upload/server/content/files/1607af9ed1044d---povugewepejolawegixofuvam.pdf
    • https://www.aserspa.net/wp-content/plugins/super-forms/uploads/php/files/orfkctq2hc1e0647n22ngdvgei/dadajefalarimabud.pdf
    • https://humanistbeauty.com/wp-content/plugins/super-forms/uploads/php/files/8b8ljsg83kr7rgm5269ndfgkem/5897415487.pdf
    • https://patriot.ch/wp-content/plugins/super-forms/uploads/php/files/j0jv0ra4gt3rj4ajp3c3j6epsa/73685090396.pdf
    • http://msci.com.ng/wp-content/plugins/formcraft/file-upload/server/content/files/16084e9799f5e6---75869831647.pdf
    • https://sidexsideaudio.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607476c04867b---molejutakerutukupigevudor.pdf
    • https://sellerflows.com/wp-content/plugins/super-forms/uploads/php/files/ac2dae721eea6f4e451ddb54d9192e3b/tasixurolafota.pdf
    • http://www.birapart.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b76ee3e4eb5---razasejebibosifi.pdf
    • http://extreamtuning.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160742616d8e28---98227717231.pdf
    • http://julieesteban.com/wp-content/plugins/formcraft/file-upload/server/content/files/160877b712301d---bujowuwusovebamejune.pdf
    • https://moniimpex.com/wp-content/plugins/formcraft/file-upload/server/content/files/160860c6753003---46702827150.pdf
    • http://timandlor.com/userfiles/file/86480105495.pdf
    • http://adanateknikservis.web.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160b9a3569bbf7---wilajafegamifutukavilalem.pdf
    • http://fuga-hotel.com/CKEdit/upload/files/motudobodutirokidowete.pdf
    • http://michianaorchidsociety.org/clients/2/28/2832e32407c795c8d28ffe68102aa18e/File/fivogorakilipedinige.pdf
    • https://www.lokalesichtbarkeit.de/wp-content/plugins/super-forms/uploads/php/files/tle5i3o500dhg10s95aid7rum0/59426308505.pdf
    • http://botosani.ro/img/uploads/file/41990150794.pdf
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bc804829be0---92077887566.pdf
    • http://omniatel.it/wp-content/plugins/formcraft/file-upload/server/content/files/160a231733fba9---jularerizazewarisefuve.pdf
    • https://www.chartsunlimited.com.ph/wp-content/plugins/formcraft/file-upload/server/content/files/160788a7502c77---puvewelebumogit.pdf
    • https://carrieres-pierre.com/userfiles/file/70702179777.pdf
    • http://duszek-lasu.pl/userfiles/file/pefizuruvuku.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fac0.bin
b524d5e975f1ce2e7456b316a25b863e987fce247d7a767c8fc60d152232633a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAC0 17748 bytes
font_01_sfnt_off000129c2.bin
c4ffe54b552ca835616c0bb383d311b8b8260ae3affe35ff0bbcd44743391153		 pdf-font-stream PDF embedded font (sfnt) at offset 0x129C2 18032 bytes
font_02_sfnt_off000144e6.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x144E6 16792 bytes
font_03_sfnt_off00015cfd.bin
cfd518f499ea6823b27461ca477f98f19ec591cfd07328dc5c4003f707c9b8d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15CFD 10900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.