Malicious PDF — malware analysis report

Static analysis result for SHA-256 b7724e6472d0b42c…

MALICIOUS

PDF

73.3 KB Created: 2021-06-20 06:25:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-23
MD5: 94b1139f5829a64741a5f52908bb7337 SHA-1: 419b7958b1b621c20d9514fa3d72fa6fe539e098 SHA-256: b7724e6472d0b42c757c3f1ff432493a246a95d2092d4118e1595412baf7d636
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous links to external websites, many of which are hosted on compromised WordPress installations or disposable domains, indicating a phishing or malware distribution attempt. The document body, though heavily obfuscated, contains text related to "clicker heroes money hack", suggesting a lure to trick users into visiting these malicious sites. The ClamAV detection and ML classifier further support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://prokoncept.hu/admin/blogfck/image/file/foninegijidej.pdf In PDF document text
    • http://doublehappyvstheinfinitesadness.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608861b26e28d---38752358973.pdfIn PDF document text
    • https://impactcleaningserviceskc.com/wp-content/plugins/super-forms/uploads/php/files/85095a39b3703c9c93b2826fe8aa0a17/33808760038.pdfIn PDF document text
    • https://www.acptechnologies.com/wp-content/plugins/formcraft/file-upload/server/content/files/160aba2bc45407---24463918513.pdfIn PDF document text
    • http://blog.crowdly.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609eb7a8e8d04---puluganisigujudi.pdfIn PDF document text
    • http://say-international.eu/userfiles/file/mapuvukomifopopoxa.pdfIn PDF document text
    • http://sanmarinreunion.com/clients/c/c0/c0747301521b2fcd71a0106c9132c7e7/File/ragomumidatasal.pdfIn PDF document text
    • http://irmascaritasdejesus.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/160c6640c79af7---pukubefopeko.pdfIn PDF document text
    • http://dentish.ru/ckfinder/userfiles/files/garatofabebeda.pdfIn PDF document text
    • https://rhythmcprandfirstaid.com/wp-content/plugins/super-forms/uploads/php/files/83c9ef2c286ac753c34e8fca7bd10a75/40408669480.pdfIn PDF document text
    • https://yziact.fr/wp-content/plugins/super-forms/uploads/php/files/uv1dqb4v8b791geq13hm5g6j94/zipixemebezow.pdfIn PDF document text
    • https://cal.lighting/wp-content/plugins/super-forms/uploads/php/files/9fdaa6d2006ada2389605cc22128898f/vusivimezixiseg.pdfIn PDF document text
    • https://sdyh.gr/wp-content/plugins/super-forms/uploads/php/files/gaargo68flh9773l0c7b1257u2/86156398516.pdfIn PDF document text
    • http://milcontabil.com.br/wp-content/plugins/super-forms/uploads/php/files/c90iobg3gitm2eovn6joc5fbn3/97434707726.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/FevRqgeaUVY/uplcv?utm_term=clicker+heroes+money+hackPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d7db.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD7DB 2880 bytes
SHA-256: b90b109c34db9b2d961be312c0c64f13ba4f5af9c83d6ae4556a72cb7f468167
font_01_sfnt_off0000e219.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE219 5112 bytes
SHA-256: c45180db51907431f9e8ebf12e94b8b9604693aa4716659ad2d87c50cbff9549
font_02_sfnt_off0000f357.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF357 10844 bytes
SHA-256: 8926d1accfe8d5b946aa598b3aab9dcb0f3111eaa3e6abc98b9498c868fbabac