Malicious PDF — malware analysis report

Static analysis result for SHA-256 c3e778735b5133e9…

MALICIOUS

PDF

89.7 KB Created: 2021-07-14 08:35:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: 545e8ef6d98a1c0a69e3a9c0694e5c42 SHA-1: f231ca9271b35e2123a3e97ec4326c7547397903 SHA-256: c3e778735b5133e9568764c3998088325942937f06019c309a6efde2f76c25d1
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF document identified as malicious by ClamAV and an ML classifier. It utilizes XFA forms and contains numerous embedded links, many pointing to compromised WordPress sites or disposable hosting, suggesting a phishing or malware distribution campaign. The PDF's structure and embedded links indicate an attempt to lure users to external malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9835

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://medvor.ru/uplcv?utm_term=earth+environment+day PDF link annotation
    • http://bfr-bialapodlaska.pl/userfiles/file/60872704770.pdfIn PDF document text
    • http://bochosushi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160843f21113d0---zatiditakonobozivexev.pdfIn PDF document text
    • http://phyllisrubensteinlaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/30873713515.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b83614d6f2c---67697725645.pdfIn PDF document text
    • https://ilc.ua/wp-content/plugins/super-forms/uploads/php/files/3m4h071rgkts32fshl9tj18od1/98817872726.pdfIn PDF document text
    • https://hasekei.jp/userfiles/file/bineki.pdfIn PDF document text
    • https://yourtuscanyguide.com/wp-content/plugins/super-forms/uploads/php/files/jfmk54sth29dqheof1i7e06841/finimupemeboxejeli.pdfIn PDF document text
    • https://sevsport.info/wp-content/plugins/super-forms/uploads/php/files/4dee1dbf3474de7ec4384606e62fecbb/33977637538.pdfIn PDF document text
    • http://partnercable.hu/files/22027388336.pdfIn PDF document text
    • https://janeunchained.com/wp-content/plugins/super-forms/uploads/php/files/j8bh64up7v63st5mr4ia4h7liv/46083026498.pdfIn PDF document text
    • https://www.keystonecare.co.uk/wp-content/plugins/super-forms/uploads/php/files/813ee688fe266b31d44a5fbc7a182198/rudatudakufokizora.pdfIn PDF document text
    • http://charivne.info/images/file/zutadujov.pdfIn PDF document text
    • http://www.gainerwindows.ca/wp-content/plugins/super-forms/uploads/php/files/ufrh4geijliac5civ3ssvd0bu1/47826032017.pdfIn PDF document text
    • https://numen-wow.com/userfiles/cloud//files/nojomifitisaxeritipaga.pdfIn PDF document text
    • https://www.die-umzugsfabrik.com/wp-content/plugins/formcraft/file-upload/server/content/files/16086a943d05f4---83834048930.pdfIn PDF document text
    • https://euroroma-bg.org/files/file/92913402652.pdfIn PDF document text
    • https://arrayamed.com/userfiles/file/98005742620.pdfIn PDF document text
    • http://camwater.org/media/files/fusudovajafatuduvomujin.pdfIn PDF document text
    • http://madiagranitosilano.it/userfiles/files/terepovifabejoveluguv.pdfIn PDF document text
    • http://finpacecuador.com/userfiles/file/liwapovabelaselekapev.pdfIn PDF document text
    • http://nktrading.qa/file/files/27138800346.pdfIn PDF document text
    • http://begemot-rus.com/uploadfiles/file/2021071221332973499.pdfIn PDF document text
    • http://kino-profi.com/wp-content/plugins/super-forms/uploads/php/files/7612c4c7c225bbe3ee1cec9db33a36d6/66215533079.pdfIn PDF document text
    • https://drainscovers.com/wp-content/plugins/super-forms/uploads/php/files/cf50c9c1779e22f829d7fe54b3cc55e5/63974196607.pdfIn PDF document text
    • https://www.mobytec.com.br/mobytec/wp-content/plugins/formcraft/file-upload/server/content/files/1608e4eca9cc2a---tagikizonokonufiniv.pdfIn PDF document text
    • https://www.azembay.com/wp-content/plugins/super-forms/uploads/php/files/14rv03mk2egeosb83fs5jo7ir5/70402448140.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fc73.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFC73 10460 bytes
SHA-256: 6b573b82bfb4f41c409d470d78e0f20e30e55870b869076a4f0452202744b4ab
font_01_sfnt_off000113fd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x113FD 17396 bytes
SHA-256: 2fd66aefc9fd7638077a1cc6d043b05f80d6b03d29fe4aef380b95db2d979d0b
font_02_sfnt_off000141aa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x141AA 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1