Malicious PDF — malware analysis report

Static analysis result for SHA-256 bfdc92970fd6e0db…

MALICIOUS

PDF

96.4 KB Created: 2021-06-20 13:08:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-26
MD5: 6170fab4e06d39370b2679cd41d68e2f SHA-1: 9a9ef94bbc288d0e0ea53e284adebec72e4e44ec SHA-256: bfdc92970fd6e0db1988072f59d35712e8db53e59d521894787582e8b3ef5fc7
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF was flagged by ClamAV as 'Pdf.Phishing.Trojan' and an ML classifier returned a high probability of maliciousness. The document contains numerous embedded links, many pointing to compromised CMS upload directories, and a heuristic identified a visual download button lure. While no scripts were explicitly extracted, the presence of external links and the nature of the heuristics suggest the PDF is designed to trick users into downloading further malicious content, likely through a phishing or SEO poisoning scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://oniceh.ru/uplcv?utm_term=makka+cholam+dosai+recipe+in+tamil PDF link annotation
    • http://agiusfuneraldirectors.com/files/file/gikelupovebepafotagig.pdfIn PDF document text
    • https://ocvirapuato.com.mx/wp-content/plugins/super-forms/uploads/php/files/cf5a64fe4f14a8a5d4fe64e471ce8aef/gogugezutigulow.pdfIn PDF document text
    • http://iwish-cosmetics.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ae324ef0694---17316703270.pdfIn PDF document text
    • http://enjoy.sk/editor_uploads/system/files/62062203850.pdfIn PDF document text
    • http://mirembeestate.co.ug/wp-content/plugins/formcraft/file-upload/server/content/files/160892b8835d77---wepupitusalosowozi.pdfIn PDF document text
    • http://hattrick-sports.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609a9d690197f---fixejijasevuxejosugo.pdfIn PDF document text
    • https://www.adelaarenergy.com/wp-content/plugins/super-forms/uploads/php/files/l8ntfc7oj1qmfu0pqq1u35a1qj/sovudefiwibute.pdfIn PDF document text
    • https://velvetskin.pl/wp-content/plugins/super-forms/uploads/php/files/9b4a6467c407fd6b75e8d6bf2188a5d6/jemeveliduxopimekomige.pdfIn PDF document text
    • http://studiomanzella.com/userfiles/files/fewuxizupux.pdfIn PDF document text
    • https://estigotours.com/wp-content/plugins/super-forms/uploads/php/files/63855f42271b0b4a8c0887f5e6e5425e/44419663011.pdfIn PDF document text
    • https://extremetour74.ru/wp-content/plugins/super-forms/uploads/php/files/2759b04ac27ac7ba7a4d7025cffc24c7/64357991925.pdfIn PDF document text
    • https://asiarsolutions.com/userfiles/file/pafilijugojewufotavav.pdfIn PDF document text
    • http://ghhs1968.com/clients/5/57/5762190d0a265df614d1f295a7060a42/File/30633688658.pdfIn PDF document text
    • http://pvsystreports.com/wp-content/plugins/super-forms/uploads/php/files/lmf6519m41tjv9cu5ujrfecuv6/luwurisopipaw.pdfIn PDF document text
    • http://jjmcp.jp/userfiles/Image/file/zonotuxeweju.pdfIn PDF document text
    • https://tocgia247.com/wp-content/plugins/super-forms/uploads/php/files/bjbcfbsi2ofqe93h3tbn3ducv2/mejuv.pdfIn PDF document text
    • https://bursaceviritercume.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ab384f2a6da---69163832126.pdfIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000131d7.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x131D7 3652 bytes
SHA-256: 3cdcbbc6e990c126ac7effe8b5d66f48393b815231c389e14e22600693053384
font_00_sfnt_off0000f934.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF934 5384 bytes
SHA-256: d9ac526632bee0f2ea84a96d42d12ef19c71ff7bcf1ffb19ade0414226b4eea6
font_01_sfnt_off00010b57.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10B57 17244 bytes
SHA-256: 2583aa2fb5086e62780fecd6dbee17cf072456d091914ffa490926fb4209c885
font_03_sfnt_off00013fbf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13FBF 11100 bytes
SHA-256: 6ad2e84e176cf8de61870b5a0283a5032d10208fc883dd25eb145b9d75d16859
font_04_sfnt_off00016555.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16555 3100 bytes
SHA-256: 2fd6bd60c2df7220309419e59c2f40337be798de661cbbbe357281b5051dda37

Open this report in the interactive analyzer, or submit your own file for analysis.