Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2576189becf6ae6…

MALICIOUS

PDF

115.1 KB Created: 2021-06-29 22:05:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: dfade119d6353dcb0cde72946736162a SHA-1: ea014c66d4fd3f15631bd88fcf684847f7d77748 SHA-256: c2576189becf6ae6de9be442cbcde1bc3a33dc1236babee44902eed407e04502
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. Heuristics identified it as a link farm hosted on compromised WordPress sites, with numerous URLs pointing to potentially malicious content. The document body was unreadable, but the presence of multiple links to compromised domains suggests a phishing or redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9639

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dangkyidol.com/wp-content/plugins/super-forms/uploads/php/files/maa51vrf89fb0jf4f6tg30q6is/zekizedufakelo.pdf
    • http://andlupa.com/userfiles/file/jopologelawum.pdf
    • https://www.shopveriamici.com/wp-content/plugins/super-forms/uploads/php/files/d3196tccltj9bpkbu2tdb8ta3m/kabemorozexi.pdf
    • https://sgpropertylawyers.com/wp-content/plugins/super-forms/uploads/php/files/17a2322f5761051cd5b258d77feb7224/kunoginogepunawaki.pdf
    • https://nicemexico.net/wp-content/plugins/formcraft/file-upload/server/content/files/160a18d2207df1---pigiwidaxinamotuse.pdf
    • http://www.adarshvidhyasankul.org/userfilesfile/zaduxulimejebiserapi.pdf
    • http://driver-jazda.pl/upload/file/80198122724.pdf
    • http://xn--80aafkqcanfpgnhbng3b5i9a.xn--p1ai/pict/file/koxukege.pdf
    • http://pleasanthillpchurch.com/clients/5/55/55aa087cacc886b2254ddcc242c0699b/File/71125503335.pdf
    • http://studiodrago.eu/userfiles/files/13363979252.pdf
    • http://www.sparkprototypes.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c5982d833da---41766394506.pdf
    • https://www.davinci.dk/wp-content/plugins/formcraft/file-upload/server/content/files/160801cbb8b345---mifederipaximufidusotelud.pdf
    • https://www.die-umzugsfabrik.com/wp-content/plugins/formcraft/file-upload/server/content/files/160996e56326b8---webenimimo.pdf
    • http://wbbray.com/wp-content/plugins/formcraft/file-upload/server/content/files/16085409c1c1c1---63688674365.pdf
    • https://amagi.la/wp-content/plugins/formcraft/file-upload/server/content/files/160b4df7a128ac---xujebapubureve.pdf
    • http://poiskvod.ru/images/file/50435956963.pdf
    • http://beachfirebrands.com/userfiles/file/kazutase.pdf
    • http://redfordunion70.com/clients/869360/File/69250071652.pdf
    • http://pelesiuvalymas.lt/i/File/64972393271.pdf
    • http://www.onegelha.com/wp-content/plugins/super-forms/uploads/php/files/498ce9d582e2f9e67429cb22d91c6b97/zovikopigufube.pdf
    • https://advancedcheckcashadvance.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b270cd5a8a7---funowetezovipolezibad.pdf
    • https://dedywiredja.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c1119c4b71f---valafi.pdf
    • https://heuresromantiques.com/upload/files/tuvunem.pdf
    • http://stensoproject.com/userfiles/files/86442273577.pdf
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/16096f4a1cc99c---39278522440.pdf
    • https://sketchup360.vn/wp-content/plugins/super-forms/uploads/php/files/fvnv9ia5todnvemvpbeel2oj88/18030031178.pdf
    • https://victory-agency.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607cfcf451285---14448706062.pdf
    • https://aawyx.com/sites/default/imageuser/file/zomidebezuxoxasetizuxop.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/Om9ozkHLxGw/uplcv?utm_term=a+paragraph+for+handwriting+practice
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001569d.bin
2b6bf31f88e05c7a91d737557df1a06d7c5e084c80c85daad546c3be2ff3ae04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1569D 10752 bytes
font_01_sfnt_off00016f20.bin
15171638d69c9281a983de8a04f8d213e5ed86d33053034f6aa0dd130c4010d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16F20 1700 bytes
font_02_sfnt_off00017733.bin
ecbf4584e888a79efd22627ec5cafba3ae4ae95e8fac5ca2a51e7174ff4fa20b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17733 18076 bytes
font_03_sfnt_off0001a65f.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A65F 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.