Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6f2fc164e1f7f25…

MALICIOUS

PDF

92.2 KB Created: 2021-07-23 18:29:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-24
MD5: 92f5847bffa8e14c3c6f398a03873495 SHA-1: fef7b6c4194ac2cb8e1bbf6cf7e0c5bdbaa40450 SHA-256: b6f2fc164e1f7f25df92e9f2f4db201d27bab70eb24fa582d486bc37cc1b35f2
204 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and an ML classifier. It contains embedded JavaScript and a high-risk heuristic indicating instructions to disable security software. The document's content and numerous external links suggest a phishing or malware distribution attempt, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.adler-leitishofen.de/wp-content/plugins/formcraft/file-upload/server/content/files/16087371474781---476607177.pdf In PDF document text
    • https://purebodycare.courses/wp-content/plugins/super-forms/uploads/php/files/1ggr9untu1miquefp6elfe204n/kedutumuruja.pdfIn PDF document text
    • http://www.brennholz-heinlein.de/wp-content/plugins/formcraft/file-upload/server/content/files/160ae7b76316ab---dopabogaxa.pdfIn PDF document text
    • https://purpleleafestatebuyers.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607415d6b8389---46533565374.pdfIn PDF document text
    • http://copingconversations.com/userfiles/file/lofuvutonikokobimip.pdfIn PDF document text
    • https://www.escon.it/wp-content/plugins/super-forms/uploads/php/files/fb4babbb9b0a23b5c87060f1d32cef5d/tanunobegarerewaxemoxarol.pdfIn PDF document text
    • https://gangnampools.com/contents//files/40298531482.pdfIn PDF document text
    • http://abwingssuffolk2.com/uploads/files/bufotomezuziwurukizu.pdfIn PDF document text
    • https://master.plus/wp-content/plugins/super-forms/uploads/php/files/4ae2e5a8dd47157aba15a268f1e7b794/kagov.pdfIn PDF document text
    • http://csc0535.com/userfiles/file/20210720053559_6t1bxx.pdfIn PDF document text
    • http://lifestyleufa.ru/wp-content/plugins/super-forms/uploads/php/files/daafb6d6bc243420c4523b64a2a7ba14/legasexorizos.pdfIn PDF document text
    • http://www.jesuseslaroca.org/wp-content/plugins/formcraft/file-upload/server/content/files/160b4f6154a09d---33114302557.pdfIn PDF document text
    • http://www.chicagoalphas.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607126774333c---tifovujezajadak.pdfIn PDF document text
    • http://nhuaduongnhapkhauaz.org/upload/files/sumuxedefuxekujugirixaf.pdfIn PDF document text
    • http://goldmustang.com/files/files/mowuxuzuzamu.pdfIn PDF document text
    • https://larustt.com/upload/ckfinder/files/92223315558.pdfIn PDF document text
    • http://perechen-jurnalov.ru/js/ckfinder/userfiles/files/9453665575.pdfIn PDF document text
    • http://dabien.co.kr/wp-content/plugins/formcraft/file-upload/server/content/files/1607473209ccf3---vomototitibumosetaxemi.pdfIn PDF document text
    • http://indianspringhomes.net/userfiles/files/pisegomoxovar.pdfIn PDF document text
    • https://www.quatainvestimentos.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16077633818bcb---suzeluzew.pdfIn PDF document text
    • http://gemculture.com/userfiles/file/53936777676.pdfIn PDF document text
    • https://drivingschoolofnorthtexas.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bbde15d4ef1---31271946864.pdfIn PDF document text
    • https://travelselection.us/wp-content/plugins/formcraft/file-upload/server/content/files/1606f0afec804a---88325218912.pdfIn PDF document text
    • https://www.nrlandscapes.co.uk/wp-content/plugins/super-forms/uploads/php/files/2084b8ea15c3d929df9edc617562ee4a/19753541725.pdfIn PDF document text
    • http://bisenzia.it/userfiles/files/zebodagudolegatilemirapuv.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/BkSY9tpko7c/uplcv?utm_term=vmware+workstation+15+cracked+downloadPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001038c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1038C 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off00011b9e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11B9E 17220 bytes
SHA-256: 2d5a8066e05a127721d731dbe1b6dec7ce12674b2afdd22d05fe9efc70d7e585
font_02_sfnt_off000148b0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x148B0 10864 bytes
SHA-256: 0f23837770c1f869da7353f1ad66535b249fe84e2479d97318de1b7e127e7c3e

Open this report in the interactive analyzer, or submit your own file for analysis.