Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd5ac4919a7bde61…

MALICIOUS

PDF

85.0 KB Created: 2021-08-04 14:14:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-16
MD5: 8f1d18dff000d09b4d3a6a88dc75284a SHA-1: d095d5c5814bbe035115b888405a783ac1a0f7ab SHA-256: bd5ac4919a7bde61b1c17ed665e3b62454cb15e22d816f6a29af2f7c63b28a34
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristics reveal it functions as a link farm, directing users to various compromised websites and disposable hosting. These links likely serve as a lure to download further malicious content, aligning with a phishing or malware distribution attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cogersquest.com/clients/f/f6/f6194b381802d71b6842d6160e8859b1/File/4215232457.pdf In PDF document text
    • https://chamsocmuihong.com/wp-content/plugins/super-forms/uploads/php/files/okp2fchmp6agi9t4aj3370g7pm/lawikuwowufipazufunewi.pdfIn PDF document text
    • https://totalyoumovement.com/wp-content/plugins/formcraft/file-upload/server/content/files/16070ed07a3536---kutewewa.pdfIn PDF document text
    • http://myexamadvisor.com/fck_uploads/files/wujebizobir.pdfIn PDF document text
    • http://audiomaster.se/wp-content/plugins/formcraft/file-upload/server/content/files/160835c328d790---81624087765.pdfIn PDF document text
    • http://ilkyoukais.com/Images/Media/files/jiwirozidida.pdfIn PDF document text
    • http://www.qookspot.kitchen/wp-content/plugins/formcraft/file-upload/server/content/files/1607276623cb52---wobewilevodebisevamamiliv.pdfIn PDF document text
    • http://www.allatpatikapecs.hu/images/file/18543161152.pdfIn PDF document text
    • https://aykutemlak.com/upload/ckfinder/files/56218567559.pdfIn PDF document text
    • http://www.caribbeandentist.com/wp-content/plugins/formcraft/file-upload/server/content/files/16090416a5edf7---rejijevewi.pdfIn PDF document text
    • http://uniradioweb.info/userfiles/files/jiguzakofivo.pdfIn PDF document text
    • https://mygamedaysports.com/wp-content/plugins/super-forms/uploads/php/files/17ef322b51bfe9f759f585b5559b1617/nezifewuzijitadula.pdfIn PDF document text
    • http://oryginalnedekoracje.pl/userfiles/file/tujisukedorop.pdfIn PDF document text
    • http://www.tobywells.org/media/fckdir/file/54951950547.pdfIn PDF document text
    • https://www.mobytec.com.br/mobytec/wp-content/plugins/formcraft/file-upload/server/content/files/160abb870626d9---labinazalof.pdfIn PDF document text
    • https://wacee.net/wp-content/plugins/formcraft/file-upload/server/content/files/1608fbc1d6b76a---91014161919.pdfIn PDF document text
    • https://saleskerala.com/ckfinder/userfiles/files/xudomurosu.pdfIn PDF document text
    • http://sheeld.org/clients/d/d0/d021426cee8527c21a172be12ef3d645/File/70783406208.pdfIn PDF document text
    • https://orrizon.ru/images/file/vadelovosa.pdfIn PDF document text
    • https://fellowpeo.com/wp-content/plugins/super-forms/uploads/php/files/368266d9e802ed01fa669c3646722787/vafabagukamememuxoru.pdfIn PDF document text
    • https://neoville.ru/wp-content/plugins/super-forms/uploads/php/files/91d9611a6a72f26499b89878bd4b3d0a/labuwujudibukip.pdfIn PDF document text
    • http://satit.nrru.ac.th/satit/_Adminis/ckfinder/userfiles/files/24998851842.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BkSY9tpko7c/uplcv?utm_term=kunci+jawaban+akuntansi+keuangan+menengah+berbasis+psak+edisi+2+buku+1+salemba+empatPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e4c6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE4C6 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000fcdd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFCDD 11552 bytes
SHA-256: 8af468e608ab6b268e7c397f7490a90aa6705087a3b5d609f149417d7cfeb59a
font_02_sfnt_off000117c2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x117C2 17396 bytes
SHA-256: beb146845ad96bdd6931923994bfe6e4c9d2c3285888b360b6c90cb302c81242