Malicious PDF — malware analysis report

Static analysis result for SHA-256 c234405357a64612…

MALICIOUS

PDF

94.6 KB Created: 2021-06-11 05:33:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-04
MD5: 2cdd30f6e15a3b8a18c098f3a1eda479 SHA-1: 444ca9778e869d322ae32baa733071b0192f9aea SHA-256: c234405357a646126563ca4759a4d7c251cde7c35a1110d369a83047acef1da3
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm, many hosted on compromised CMS upload directories and presents a deceptive download button. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nomylo.ru/uplcv?utm_term=10th+science+guide+tamil PDF link annotation
    • https://interesttour.com/wp-content/plugins/super-forms/uploads/php/files/499062d530be1c7fb2d35573e0ecc3d0/13711693259.pdfIn PDF document text
    • http://go-trec.com/wp-content/plugins/super-forms/uploads/php/files/vapi3p2g2u42986d5rolvkf7fl/56648388196.pdfIn PDF document text
    • https://rhagro.com.mx/wp-content/plugins/super-forms/uploads/php/files/5b69a3c3573f64fa75d990a16371742b/30771000365.pdfIn PDF document text
    • http://www.sunarpazarlama.com/wp-content/plugins/super-forms/uploads/php/files/rceufike2lsenctj3fbhfjvdj1/nizalufagikafi.pdfIn PDF document text
    • https://malimbe.africa/wp-content/plugins/super-forms/uploads/php/files/8eab00dd8f44094ec8295039e0039597/lijivapobajor.pdfIn PDF document text
    • http://vorne-sitzen.eu/pcms/content/file/38125508888.pdfIn PDF document text
    • https://hcs1000.org/wp-content/plugins/super-forms/uploads/php/files/26ebc1c2bc57e941b66c1d3f36ec0ae8/nekewe.pdfIn PDF document text
    • http://perles-del-beya.com/userfiles/file/27519007028.pdfIn PDF document text
    • https://www.modianodesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/16075c184d107c---28970197112.pdfIn PDF document text
    • http://www.lentilles-progressives.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1607122ea894c8---49026817104.pdfIn PDF document text
    • http://heilpraxis-pankow.de/wp-content/plugins/formcraft/file-upload/server/content/files/160ac7d9ca77fa---34629627847.pdfIn PDF document text
    • http://chi-kara.net/userfiles/file/266436207.pdfIn PDF document text
    • https://rocksoliddesigns.biz/userfiles/file/82245505624.pdfIn PDF document text
    • https://puertoestereo.com/wp-content/plugins/super-forms/uploads/php/files/p2o5ic6ffapa5tem7fd38rjbdn/78600745863.pdfIn PDF document text
    • http://erkerlaender.de/wp-content/plugins/formcraft/file-upload/server/content/files/160be456cb0947---80493513470.pdfIn PDF document text
    • https://xn--i1aam8cb.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/bcc9dbb88a3eb0c7def3ec267992e9e1/64472400136.pdfIn PDF document text
    • http://dodici12.ru/wp-content/plugins/super-forms/uploads/php/files/7mbuic5rh6tq9cduilp6josja1/durobupexemomigazepe.pdfIn PDF document text
    • https://www.histoiresdegroupes.com/wp-content/plugins/formcraft/file-upload/server/content/files/160777f9e1a0f2---68648442725.pdfIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00011992.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x11992 8448 bytes
SHA-256: 1bcfff89e3e251025a5a07ea378375cb50c927f34a91cd6cd82746a563ce6ae5
font_00_sfnt_off00010781.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10781 5356 bytes
SHA-256: f9dbc58ae99888f609b84b6dc3d7eb903018064b1749b4d7ebc87f1d3bcd2898
font_02_sfnt_off000131f5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x131F5 10888 bytes
SHA-256: 1b840a253476ea56bb53f694a79a258bd422c37cb5f495ef8509a725129a69be
font_03_sfnt_off0001574a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1574A 16164 bytes
SHA-256: e296a61d2d303e35be9e1a35631556663d2780498efa7e8f3867bf557f172fe6