Malicious PDF — malware analysis report

Static analysis result for SHA-256 b5a7010eefcc1a83…

MALICIOUS

PDF

89.6 KB Created: 2021-06-25 05:07:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-25
MD5: a7c17bb9c4c6c0849b7d3fc4e26206e4 SHA-1: 878bd966d1dfe8f3d4616a4b3744e9382453446b SHA-256: b5a7010eefcc1a8315dd70de19b45288c8fecd07e62682afb00cebcafea626d8
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.007 JavaScript

This PDF was flagged by ML classifiers and ClamAV as malicious, with specific heuristics indicating a social engineering attack (ClickFix) that instructs the user to execute a command. The document contains a link farm pointing to compromised WordPress sites, suggesting an attempt to host or distribute malicious content. While no scripts were directly extracted, the nature of the ClickFix heuristic implies the PDF is designed to facilitate the download and execution of a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://constructionone.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1609c27987e07b---malekuzoki.pdf In PDF document text
    • http://ptk-astana.kz/wp-content/plugins/super-forms/uploads/php/files/8981ba7f15e4470c6bd32dd5a894c7da/sozajefejanemuliv.pdfIn PDF document text
    • https://udachi.co.th/wp-content/plugins/super-forms/uploads/php/files/40vrooplme9n0ucjbr0t8pgjp8/62549698487.pdfIn PDF document text
    • http://maihome.hu/admin1/file/42936364438.pdfIn PDF document text
    • https://noble-worldwide.com/wp-content/plugins/super-forms/uploads/php/files/0d1bb4a8f0f5fda6a9d95b2f39eefbf3/bedagovunagitepivulijux.pdfIn PDF document text
    • https://alihuata.com/userfiles/file/25302758964.pdfIn PDF document text
    • http://meble-tk.pl/userfiles/file/wexiruvinox.pdfIn PDF document text
    • http://kleiberit.ru/files/file/lumazofaluzumuwulidujida.pdfIn PDF document text
    • https://fatheragneliti.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608632df2f519---kopuropav.pdfIn PDF document text
    • https://olgapopovaphoto.com/wp-content/plugins/super-forms/uploads/php/files/f31e464ea4c525586db06e615989a89f/lefipaxotovigapatonu.pdfIn PDF document text
    • https://lokmangal.co.in/wp-content/plugins/super-forms/uploads/php/files/4da7a4ebd28db35c38a0a4e7b8fdcf07/33916731413.pdfIn PDF document text
    • http://alexforstarlight.com/clients/4/41/4125d763bdae894b2c088b8c4c0f4705/File/48101371945.pdfIn PDF document text
    • http://milcontabil.com.br/wp-content/plugins/super-forms/uploads/php/files/r8tc2nholfl8c0mhajpr4jpe95/9983989409.pdfIn PDF document text
    • http://for-rent-antwerp.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b77e4ead1b0---gibivawudemolanerogefe.pdfIn PDF document text
    • https://skyfireconsulting.com/wp-content/plugins/super-forms/uploads/php/files/aok3st30u3grh4k1lo0jbuahk6/vawezaju.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/1KS0DP0cxss/uplcv?utm_term=katherine+elizabeth+texture+pack+pePDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed8d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xED8D 2876 bytes
SHA-256: a0df6af9763bbd340e3cf16ed9b3f339a092d25858996988c5d73bd1bef9ab04
font_01_sfnt_off0000f7c9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF7C9 5136 bytes
SHA-256: 5033d5947b1ddbad0447801339eb037c6a28651b859b67c71a2821c7ca0681af
font_02_sfnt_off00010939.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10939 1892 bytes
SHA-256: 6c40c24049063d20f38f379a1ca3b8fd5527db7973066f59bb6b8bef044e1f73
font_03_sfnt_off0001125a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1125A 14304 bytes
SHA-256: 669978ed5c1522c9e2ecab5f36dd6d323dc4121c4aead54afb0eaa2284405f1d
font_04_sfnt_off000140ff.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x140FF 16208 bytes
SHA-256: 3b60b84f554398af14c4ebb484939287515345ca9e6929e6e2fbb436f7be1588

Open this report in the interactive analyzer, or submit your own file for analysis.