Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6022d916409fba8…

MALICIOUS

PDF

74.4 KB Created: 2021-06-11 23:41:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-05
MD5: 984933032832d6cf9365071acb631e88 SHA-1: 8855aaeb9b947d11bcca1f00fe3e6eba3a92459c SHA-256: b6022d916409fba813d6ebe096b92b377c9d90dcef9f38ae28d6ac5817974f9e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links to compromised WordPress sites, which in turn host other PDF files. This suggests a link farm designed to distribute malicious content, likely for phishing or malware delivery. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cructi.ru/uplcv?utm_term=the+hobbit+1977+full+movie+download PDF link annotation
    • http://associacaoguainumbi.org.br/wp/wp-content/plugins/formcraft/file-upload/server/content/files/1608a9a0cb2134---67256006114.pdfIn PDF document text
    • http://pngroup.pl/ckfinder/userfiles/files/verivobijureritafemane.pdfIn PDF document text
    • http://grandchainfamilyfoundation.org/clients/85333/File/pubalusuk.pdfIn PDF document text
    • http://for-rent-aalst.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d9fdf3a122---lararop.pdfIn PDF document text
    • https://www.qlsny.com/wp-content/plugins/super-forms/uploads/php/files/646f4ee1f548b650284fdaf64dd37220/dufonadolubiwiwasuwedez.pdfIn PDF document text
    • http://www.sunarozlem.com.tr/wp-content/plugins/super-forms/uploads/php/files/0adrh8fbeokh7euibcj51rqfh2/nixejiki.pdfIn PDF document text
    • http://millecolori.it/images/file/zikatoritoxemerujuxatudip.pdfIn PDF document text
    • http://lisahyatthealth.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608b97795a8ef---44386116321.pdfIn PDF document text
    • https://www.popcaffe.it/wp-content/plugins/super-forms/uploads/php/files/84d4ed97d918e914757bd9c89ba1600f/nidawazeteluwolofazesomo.pdfIn PDF document text
    • http://www.mtpartnersfl.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f46178eaa3---nawurojulomovazapute.pdfIn PDF document text
    • https://www.couleurs-et-jardin.fr/wp-content/plugins/formcraft/file-upload/server/content/files/16083d485453cc---94911088613.pdfIn PDF document text
    • https://leunamgroup.com/wp-content/plugins/super-forms/uploads/php/files/1d5dec6b0b12f6d219c7d65ec00f65c0/zagekuzedaregas.pdfIn PDF document text
    • http://mirandatutoringcentre.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1608755857f07b---topejanatawe.pdfIn PDF document text
    • https://lcd96.ru/wp-content/plugins/super-forms/uploads/php/files/78567ab396a54df1394035ab922e0424/noxoponiporomugewufujebak.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e5d5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE5D5 5404 bytes
SHA-256: c7da3807a41f68587cd2d7058bdc59e7a79bc44d1688ef0fccbcbaba080b1134
font_01_sfnt_off0000f833.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF833 10696 bytes
SHA-256: cd4288cf68d27480e8ee3ff9328ebc34786a808091785f5e6d27c78192facaf5