Malicious PDF — malware analysis report

Static analysis result for SHA-256 b4ebd38a42b00382…

MALICIOUS

PDF

84.5 KB Created: 2021-06-29 20:14:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: c828287ca7b49d3b37bdb0dc2678af8d SHA-1: 20315cb9bd9991d42a5a58bc0117ee923ab8c556 SHA-256: b4ebd38a42b00382bc20c55a2e6d83504edce420297033f227296e139e11ff2e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by multiple heuristics as malicious, including a critical ClamAV detection and an ML classifier. It contains a link farm pointing to compromised WordPress upload storage and other disposable hosting, suggesting an attempt to redirect users to malicious sites. The PDF structure itself is also noted as a link farm, indicating a primary purpose of directing users to external, potentially harmful, resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9956

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://sitebyside.ru/wp-content/plugins/super-forms/uploads/php/files/753f1dda2757265c9217217ddc02fe41/17411059570.pdf
    • https://vashadvokat82.ru/wp-content/plugins/super-forms/uploads/php/files/158976659fafe58d6d603bb87710c92e/buzefawedubenukerimesigo.pdf
    • https://bonafideonline.com.ar/wp-content/plugins/super-forms/uploads/php/files/792889f668f79bd07de62f9f294a7a0c/93114879282.pdf
    • https://chicagoportablexray.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b59adb780e9---gaxodavixugufabuporerazu.pdf
    • http://verynailscm.com/user_img/file/bamafasojatoxiwivusuj.pdf
    • https://dptech.vn/uploads/files/85943137666.pdf
    • https://www.electriclighting.com/wp-content/plugins/super-forms/uploads/php/files/e64546414f3eb724df0c956accf271d7/40412895655.pdf
    • https://chicagoportablexray.com/wp-content/plugins/formcraft/file-upload/server/content/files/160753eab43aba---nuwusunapilali.pdf
    • https://www.lightingdynamics.com/wp-content/plugins/super-forms/uploads/php/files/d61a57324b7b3e3037b65c7ffd8fe1be/64484344518.pdf
    • http://ophtalmic-overnight.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160c19983d3c8c---gawajajivefuvipamazosudu.pdf
    • https://www.servicioscalibrados.com/wp-content/plugins/super-forms/uploads/php/files/ed1d5831c347b0a8fceeec03b9842a47/dugadolorenewaliponavigo.pdf
    • https://ph2020.org/FCKeditor/file/nojiw.pdf
    • https://www.democratum.com/wp-content/plugins/super-forms/uploads/php/files/47f90de3bcd1238e321f4364d04bfb6d/fexiwamigojiporu.pdf
    • http://cancercareresearch.com/userfiles/file/73738681812.pdf
    • https://divorcioconsensual.com.br/wp-content/plugins/super-forms/uploads/php/files/d068d616847762afdd18de5ffbe51474/16653406071.pdf
    • http://puppies-4u.com/clients/e/e7/e7f09595da74c05d2059c741134300d2/File/zenafavubepoxumerevara.pdf
    • http://www.airportlimofortlauderdale.net/wp-content/plugins/formcraft/file-upload/server/content/files/16086f0aa16cc4---37187784761.pdf
    • https://www.entornopublicitario.com/wp-content/plugins/super-forms/uploads/php/files/b79296e28cbaa1f1fea20925dcb81333/74437297205.pdf
    • https://cspdental.com/wp-content/plugins/super-forms/uploads/php/files/b6b516cb7b34ed4294120248090306be/92344043299.pdf
    • http://muzeumostrowiec.pl/obrazy/file/47601617072.pdf
    • https://andhimazhai.com/images/files/zasododupofijovisanaduz.pdf
    • https://capitaleny.com/wp-content/plugins/super-forms/uploads/php/files/98220baf3f1adcb1b9f7864cfafdb7b8/65188031804.pdf
    • http://www.oschouston.com/osc/wp-content/plugins/formcraft/file-upload/server/content/files/16098678de67b3---93378341507.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/1xuhb7AK25c/uplcv?utm_term=canterfield+of+clay+county
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8c3.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8C3 16792 bytes
font_01_sfnt_off000100da.bin
403204e314353ece3b53b4318154041532157b77e03118d10b9095e493d99404		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100DA 10548 bytes
font_02_sfnt_off00011909.bin
eb74963456b480ad3b988276e32663f0441b6c984c1221e41350a6ac391c907f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11909 16768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.