Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2ad961c4c8cadb4…

MALICIOUS

PDF

101.3 KB Created: 2021-07-07 03:37:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-16
MD5: 228a30314bd069cfbdce25f0cf6bf123 SHA-1: 2b14541aff407beaf80cdf23e8576489dcce656e SHA-256: b2ad961c4c8cadb405a5dd6a1cb26a1aed1823cb2384da4e3b3db210669f39b8
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The document contains numerous links to external websites, many of which are hosted on compromised CMS platforms or disposable domains, suggesting a link farm designed to redirect users to malicious content. While no scripts were explicitly extracted, the nature of the link farm and the detection as a 'Phishing.Trojan' implies the potential for JavaScript exploitation or redirection to phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9923

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://es-umzuege-transporte.de/wp-content/plugins/super-forms/uploads/php/files/f23dd5d0251b6f609dbee441e595b4e2/79835674902.pdf In PDF document text
    • http://tatugigo.com/ckfinder/userfiles/files/pasokumo.pdfIn PDF document text
    • http://safeabortionnepal.com/userfiles/file/49966041164.pdfIn PDF document text
    • http://aaykpn.com/uploads/editor/files/xozulorofoxefipagenub.pdfIn PDF document text
    • https://miamivanservice.net/wp-content/plugins/formcraft/file-upload/server/content/files/1607b05be42982---44808573374.pdfIn PDF document text
    • https://www.expoagrogto.com/wp-content/plugins/super-forms/uploads/php/files/hg55udfdi14j1211l6n2p40pm7/1267360404.pdfIn PDF document text
    • http://www.ncstarim.com.tr/wp-content/plugins/super-forms/uploads/php/files/ap8u3q0no9ugnfublc1qg9b070/sebepajoxalakijetugopil.pdfIn PDF document text
    • https://solarconsulting.org/wp-content/plugins/super-forms/uploads/php/files/c53b3a65374c850388255c39f1b6de10/1926480626.pdfIn PDF document text
    • http://www.realisthotel.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b760b283053---polenozebogi.pdfIn PDF document text
    • http://www.guaitoli.eng.br/wp-content/plugins/formcraft/file-upload/server/content/files/160b793a330c45---71642692187.pdfIn PDF document text
    • http://moriefrusca.com/userfiles/files/28275280152.pdfIn PDF document text
    • http://shmountaineering.co.uk/wp-content/plugins/super-forms/uploads/php/files/7vprdl2d7srolmoqpbj8fuj8n5/96445065804.pdfIn PDF document text
    • http://ztkammer.at/uploads/file/50671033127.pdfIn PDF document text
    • http://msci.com.ng/wp-content/plugins/formcraft/file-upload/server/content/files/160dd7f1275236---jugejudaza.pdfIn PDF document text
    • https://vashadvokat82.ru/wp-content/plugins/super-forms/uploads/php/files/58a61ebf9c5ef58ed0ff9c2b5463c5d1/12091719426.pdfIn PDF document text
    • https://comesa.com.pe/wp-content/plugins/super-forms/uploads/php/files/brjltmmtcfoaf3ha5qjlfch1s1/76900010477.pdfIn PDF document text
    • https://admonks.ru/wp-content/plugins/super-forms/uploads/php/files/aac2ce41feb168970a7e68e2fd8fa67e/31866936851.pdfIn PDF document text
    • https://djhelaly.com/wp-content/plugins/super-forms/uploads/php/files/fec19fc3519705ad12fabd859eb18abc/lezegokifarajanivaduro.pdfIn PDF document text
    • https://xn--1--8kcai1ck2bs.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/357bd3d26fe6ea415a3a71b91dfafe06/ziwexagufijobopiba.pdfIn PDF document text
    • http://ray-king67reunion.com/clients/41562/File/28612819818.pdfIn PDF document text
    • http://chinoboxingclub.com/clients/36032/File/15203774637.pdfIn PDF document text
    • http://karunb.com/UpLoads/files/50812569938.pdfIn PDF document text
    • http://hyosangjo.com/userfiles/file/20210615205152.pdfIn PDF document text
    • http://atlantichomeportugal.com/wp-content/plugins/formcraft/file-upload/server/content/files/160990ab7c0f6d---51741621954.pdfIn PDF document text
    • http://palami.by/images/file/307912604.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/FevRqgeaUVY/uplcv?utm_term=cellulitis+and+diabetesPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012cdf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12CDF 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off000144f1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x144F1 16984 bytes
SHA-256: a75a835c77beb1d31b11a2bad2d29a2782db61950127ca39f24f73fcf08aa8ad
font_02_sfnt_off00017086.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17086 10292 bytes
SHA-256: fa5346894154f1c3d306221cea957b91e54a3510aaf75ddbde46de2c361c635a