Malicious PDF — malware analysis report

Static analysis result for SHA-256 c66cc1125b809399…

MALICIOUS

PDF

322.4 KB Created: 2021-07-02 02:42:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-14
MD5: 8adc8d95acf738aab5b1b93102351d60 SHA-1: 6d26008d1a4743c4e7a566489cabe2c9b7d859e2 SHA-256: c66cc1125b80939994407bcab80abecc58af471358ff8e5eb875ae4f662a1e2b
166 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing attempt. The heuristics reveal a link farm pointing to a compromised WordPress upload storage, likely serving as a lure for users to download a malicious PDF. The embedded URLs suggest a phishing pretext, potentially related to free downloads or urgent information.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8681

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.olympusnorge.no/wp-content/plugins/super-forms/uploads/php/files/46t617p94kemrcgjuui02h6o0d/wojowipinobusen.pdf In PDF document text
    • https://n95america.com/wp-content/plugins/super-forms/uploads/php/files/85c629ae6d6fb1ee749f2f293ea0c145/sapuneraxivato.pdfIn PDF document text
    • http://middlegeorgiacoinclub.com/wp-content/plugins/formcraft/file-upload/server/content/files/16090e232b6071---5586986534.pdfIn PDF document text
    • http://luckyassessoria.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160bcb9dde152c---fepumogevafutusobubajame.pdfIn PDF document text
    • http://jpind.pl/userfiles/file/konoz.pdfIn PDF document text
    • https://xn--80aaa1anac6cg.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/1fc2ad0bb9bd5948af2be30058feaca5/gokixe.pdfIn PDF document text
    • https://gamletaarnhuset.no/wp-content/plugins/formcraft/file-upload/server/content/files/16095243a4e351---90442865518.pdfIn PDF document text
    • https://www.techsrollout.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ac8ec0b4f6c---45592592345.pdfIn PDF document text
    • http://www.juniorcollege.cl/ckfinder/userfiles/files/83489801921.pdfIn PDF document text
    • http://duetsepolno.pl/userfiles/file/92097401452.pdfIn PDF document text
    • http://volamtuyetthe.com/userfiles/file/mirefagavulapelotafaz.pdfIn PDF document text
    • https://www.c2commercial.com/wp-content/plugins/super-forms/uploads/php/files/63f1219501da19c1e203e03b373b2a86/lerimipekeza.pdfIn PDF document text
    • https://www.dekleinewerf.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1609057fba754c---70718802366.pdfIn PDF document text
    • http://mamam.by/upload/File/file/wirebejezikel.pdfIn PDF document text
    • http://veiligheidssloten.nl/ckfinder/userfiles/files/44059827600.pdfIn PDF document text
    • https://encouragingmath.com/wp-content/plugins/super-forms/uploads/php/files/9d233409e3b54c1d4cda7018211637fa/55743752927.pdfIn PDF document text
    • http://asesorialuishervas.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a435eb182b9---92626004356.pdfIn PDF document text
    • https://www.audifonosdoshoydos.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bbe1bd95323---nuwexebed.pdfIn PDF document text
    • https://autotrilogy.com/wp-content/plugins/super-forms/uploads/php/files/6324a5e9c8da6638bb9511ffb98b1bc2/nexelizijusunifarax.pdfIn PDF document text
    • http://jmlukanich.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/lelaw.pdfIn PDF document text
    • https://arenda1s.ru/wp-content/plugins/super-forms/uploads/php/files/a7508f20504066168c10ca30ffea2661/72175293461.pdfIn PDF document text
    • https://blackknowledge.com/wp-content/plugins/super-forms/uploads/php/files/b1a87e66acae8c43f49421c964010cf9/45142018577.pdfIn PDF document text
    • http://caacoding.net/wp-content/plugins/formcraft/file-upload/server/content/files/1609c037c4d026---sipowunajuserisejivipid.pdfIn PDF document text
    • http://www.mywil.ch/wp-content/plugins/formcraft/file-upload/server/content/files/1607ee0361fb0e---85237012048.pdfIn PDF document text
    • https://www.brightfieldbusinesshub.co.uk/wp-content/plugins/super-forms/uploads/php/files/63ama6djb8tsopbt7oh4crc75m/37654572608.pdfIn PDF document text
    • http://www.festivalmarrakech.info/wp-content/plugins/formcraft/file-upload/server/content/files/16072e5cc33090---giwurugow.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/FevRqgeaUVY/uplcv?utm_term=16+hp+to+ccPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00046223.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x46223 26104 bytes
SHA-256: 1411d88ce971dcf9249f76f6ba7c6c1668a03555f2fd0bcfac16c91da330dc03
font_01_sfnt_off0004a336.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4A336 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off0004bb4c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4BB4C 9788 bytes
SHA-256: 5d6f4186bd2556f27472efebe30a4239bd986891138a6cabf18ecc8128402823
font_03_sfnt_off0004d0d1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4D0D1 5168 bytes
SHA-256: 5ae899df0bbcd48cc814fcc528ac13d26a4f44f9e694aa6c05647d9ec5b9a225
font_04_sfnt_off0004e3db.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4E3DB 16352 bytes
SHA-256: bf50d10787981527efbfd5e23523d6d3002f382cc8382d5161ec281dff5cac4c