Malicious PDF — malware analysis report

Static analysis result for SHA-256 b80b3fb19ed329a0…

MALICIOUS

PDF

110.5 KB Created: 2021-06-10 00:17:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-24
MD5: b54a31b9534254af6873ae5c82b0f1e8 SHA-1: 7b39507be695727b565bdb8e8eb29ae85c56437c SHA-256: b80b3fb19ed329a0bdb86a71b27f0b2baa05961842ff3ac9e4b315ccc7d85cb0
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm, many hosted on compromised CMS upload directories and presents a deceptive download button. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://smidgel.ru/uplcv?utm_term=gfx+tool+apk+pro PDF link annotation
    • https://edmaker.site/wp-content/plugins/super-forms/uploads/php/files/5ba0467bbb7cbeeaf7a904eacb4610b7/nivifojobajidelepasomesum.pdfIn PDF document text
    • https://purpleleafestatebuyers.com/wp-content/plugins/formcraft/file-upload/server/content/files/160821badf11b1---jagonujatulir.pdfIn PDF document text
    • http://expresskaliski.info/file/88938532873.pdfIn PDF document text
    • https://udachi.co.th/wp-content/plugins/super-forms/uploads/php/files/utgu3u0v4oo6jk51agm27n12g0/lasunojukifowewutukedov.pdfIn PDF document text
    • https://108pizza.pl/uploads/userfiles/files/baliranadodugetap.pdfIn PDF document text
    • http://www.euro-fly.eu/userfiles/files/gubusaposulezenuxunezaja.pdfIn PDF document text
    • https://fentesmakina.com/paket/upload/files/punasixadobiwawifijevox.pdfIn PDF document text
    • http://macautemple.com/userfiles/file/58112897670.pdfIn PDF document text
    • https://amartzon.store/wp-content/plugins/super-forms/uploads/php/files/5b73014c6008c082eb4643f9479fd2b2/21072233440.pdfIn PDF document text
    • https://www.rydalmereprestige.com.au/wp-content/plugins/super-forms/uploads/php/files/u1vbv42qsuhuht8mclrhreb346/75840584986.pdfIn PDF document text
    • http://www.maarsehoveniers.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160721da7bac91---getizilafizokodazel.pdfIn PDF document text
    • http://alhouti.com/userfiles/file/nasomolowin.pdfIn PDF document text
    • http://amwordpress.org/wp-content/plugins/formcraft/file-upload/server/content/files/160792736419d1---noraxenesivufiwit.pdfIn PDF document text
    • http://avtoarka.ru/wp-content/plugins/super-forms/uploads/php/files/e53cf4f90e16183a5e39cba606f497c7/wodaxenebigoregaxot.pdfIn PDF document text
    • http://1hozain.ru/files/userfiles/files/begoziwukefaxemow.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dfaf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDFAF 11496 bytes
SHA-256: f2dddf551c79529e785b91a6a2e8154c315ee68c919c2676a2d231f5bea76a86
font_01_sfnt_off0000fee6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFEE6 25924 bytes
SHA-256: 2eecc21afdd6b917265234f74e4a56e00fa348ad25c58adc0903cdcbb1b1a2c6
font_02_sfnt_off00014f63.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14F63 4880 bytes
SHA-256: 17e8bd76759634a7b815d9eaa04a33fc7388ddac4a9414a3cdfeeca4765d4269
font_03_sfnt_off00016012.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16012 3288 bytes
SHA-256: 0045bd2ad3d834f0170742955dd58ed4e9b6195e5c2e507af19a4b00916ee2fc
font_04_sfnt_off00016d4f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16D4F 11500 bytes
SHA-256: b77c2ef1caea1425dcd76598e15f30e572b3ca803591fe539650d5240ac7170f
font_05_sfnt_off000194b9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x194B9 16312 bytes
SHA-256: aad9bc0f36eadc3314e08670b59090120051e308b357201f134af3d0b781b2b0