Malicious PDF — malware analysis report

Static analysis result for SHA-256 b81c943418c3d59d…

MALICIOUS

PDF

219.5 KB Created: 2021-07-20 21:49:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-14
MD5: 4169d7b0db3d668cd02037e60da64018 SHA-1: 1b373766b81ee0108e01c4f6c549cf4b9da54785 SHA-256: b81c943418c3d59dc57ca7d2ebea354a38085b98816226e252a11668bb86b8b3
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ClamAV and ML classifiers, with high-severity heuristics indicating it's a PDF link farm pointing to compromised CMS upload storage. The document body is unreadable, but the heuristics suggest a phishing or malware distribution lure via a compromised website. No scripts were extracted, but the presence of embedded URLs and link farms points to an attempt to redirect the user to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9849

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://muszempilla.com/files/file/xikasibosukaxobutovagutes.pdf In PDF document text
    • http://banhangcongnghe.com/upload/FCK/file/80820342415.pdfIn PDF document text
    • http://hhs63.org/clients/8/88/88ec95b665b56da82b1de85f097fba10/File/zisal.pdfIn PDF document text
    • http://paillasse.hu/userfiles/file/13290651856.pdfIn PDF document text
    • http://eraucheta.ru/uploads/file/poteruzuzufafuguzovotaf.pdfIn PDF document text
    • http://avandcie-automation.fr/ckfinder/userfiles/files/27825034240.pdfIn PDF document text
    • http://omak1968.com/clients/71178/File/55130674154.pdfIn PDF document text
    • https://eurouniversal.eu/ckfinder/userfiles/files/mowakolawem.pdfIn PDF document text
    • http://aksaxena.com/bpms/includes/fckeditor_uploads/userfiles/file/25799805491.pdfIn PDF document text
    • https://k9-warrior.com/wp-content/plugins/super-forms/uploads/php/files/jdrtlv0sh8g57nngcdpc6eoohr/98427759379.pdfIn PDF document text
    • http://www.zav-mito.si/wp-content/plugins/formcraft/file-upload/server/content/files/160a56b1321baf---gejevojaxuredigebod.pdfIn PDF document text
    • http://dobraukraina.org/sites/all/sites/dobraukraina.org/files/57328596713.pdfIn PDF document text
    • https://alakharia.com/public_html/userfiles/file/71852499469.pdfIn PDF document text
    • https://dmvassociates.com/wp-content/plugins/super-forms/uploads/php/files/d2dea8934d8fe0b6609bb6feeb40a4b0/57465402188.pdfIn PDF document text
    • https://skazkavdom.com/wp-content/plugins/super-forms/uploads/php/files/48a54ab22be3d79ad9c91073f5adac8d/pimolavirogalivur.pdfIn PDF document text
    • https://piataafacerilor.ro/app/webroot/files/userfiles/files/85806541577.pdfIn PDF document text
    • https://webmodels.studio/wp-content/plugins/formcraft/file-upload/server/content/files/160a87d7ec2f3e---58034053782.pdfIn PDF document text
    • http://www.rolstoellift.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a79d3963085---notofebulodanekud.pdfIn PDF document text
    • https://www.helmmsp.ca/wp-content/plugins/super-forms/uploads/php/files/6da1d44672914cd94b54b911d3c524c5/susixijibi.pdfIn PDF document text
    • http://cukierniabrzezinski.pl/www/artizam/fck/file/16689980818.pdfIn PDF document text
    • http://alliusie.com/userfiles/file/vetavajupin.pdfIn PDF document text
    • http://www.vikingmaterials.com/img/6134795927.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/1xuhb7AK25c/uplcv?utm_term=linkin+park+what+ive+done+tabPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000301ed.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x301ED 18060 bytes
SHA-256: 6b1f7162efe3e5df39c7a9dfea7346d193219973c11d267538f588f175f52f68
font_01_sfnt_off00033062.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x33062 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00034879.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x34879 10616 bytes
SHA-256: 0bef3ffd676ea5dd84fc6962025a6072b39d2954df783c7c0515b5e8b86ca23d