Malicious PDF — malware analysis report

Static analysis result for SHA-256 c80bf3b1d05292fb…

MALICIOUS

PDF

84.3 KB Created: 2021-07-26 05:29:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26
MD5: e0cc57e2f92ead0218a83114906c5dc1 SHA-1: 90263868335a9b46d208c4ae1ccdbe83cb0ac638 SHA-256: c80bf3b1d05292fbdc7585b3cb93139f11b6c7891379434c984c5e8544617616
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by ClamAV as Pdf.Phishing.Trojan and an ML classifier indicated a high probability of maliciousness. It contains numerous links to external websites, many hosted on compromised WordPress sites, suggesting a link farm designed to redirect users to malicious content. The document body is heavily obfuscated and contains no readable text, further indicating a malicious intent to conceal its true purpose.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dentinale.eu/wp-content/plugins/super-forms/uploads/php/files/fb4a5fa85e74e9ffd9172a0121461d0b/90374114241.pdf In PDF document text
    • https://stewsites.com/wp-content/plugins/super-forms/uploads/php/files/86e09a2d57d56ddf834d4fb9a2e27e48/wifola.pdfIn PDF document text
    • http://elonsummerstorage.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606cad8549a77---paxadigimuvowedu.pdfIn PDF document text
    • https://www.sgestrecho.es/wp-content/plugins/formcraft/file-upload/server/content/files/16072d48845fce---67730040277.pdfIn PDF document text
    • https://www.fifatravels.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f5cbc7fbbb---67559449262.pdfIn PDF document text
    • https://ilc.ua/wp-content/plugins/super-forms/uploads/php/files/uohfifmttlu8dl4uaq6c721ai4/ratevikegizajulawodi.pdfIn PDF document text
    • http://freemansphotography.com/wp-content/plugins/formcraft/file-upload/server/content/files/16092890c27d4f---76896819420.pdfIn PDF document text
    • https://advancedbusiness.co/wp-content/plugins/super-forms/uploads/php/files/0868c2716fbe91109940263a09986599/64985107201.pdfIn PDF document text
    • https://ccveg.org/wp-content/plugins/super-forms/uploads/php/files/2b9m9bbt1ek7lod8em1edjnt7j/pazozarudesofusedera.pdfIn PDF document text
    • http://twfindia.in/userfiles/files/lamojotipiwapurazi.pdfIn PDF document text
    • https://aldea.work/wp-content/plugins/super-forms/uploads/php/files/2a2ae7f38bb41c5773dda26a0e962b6c/terogonutaran.pdfIn PDF document text
    • http://argra.rs/wp-content/plugins/formcraft/file-upload/server/content/files/16078822b8885a---14941138382.pdfIn PDF document text
    • https://alfa-clining.ru/wp-content/plugins/super-forms/uploads/php/files/710b9596ea8cd7a0ba0eacc44b660d8a/74758445776.pdfIn PDF document text
    • https://grahampropertytax.com/wp-content/plugins/super-forms/uploads/php/files/3ccfe95fc5c883fbff4aaf42f634cfac/zoxakiralalulak.pdfIn PDF document text
    • https://www.simplythebestevents.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160c1d0767b38f---7228534936.pdfIn PDF document text
    • https://schreinerheusi.de/wp-content/plugins/formcraft/file-upload/server/content/files/160a8413f1ee1e---16516612912.pdfIn PDF document text
    • http://www.qookspot.kitchen/wp-content/plugins/formcraft/file-upload/server/content/files/1606c6c3976a96---84770105877.pdfIn PDF document text
    • https://tuabogadoangel.com/wp-content/plugins/super-forms/uploads/php/files/30d0b6450b52e8c6a215a30a949608a8/17345677211.pdfIn PDF document text
    • http://kezmosas.hu/files/file/2735064037.pdfIn PDF document text
    • http://dermatologomiguelgallego.com/miguel/fck/file/kujakorotanelemururava.pdfIn PDF document text
    • http://leap-egypt.com/wp-content/plugins/formcraft/file-upload/server/content/files/16099ea7a22aea---duzudidabozo.pdfIn PDF document text
    • http://connect-event.fr/ckfinder/userfiles/files/tadoletu.pdfIn PDF document text
    • https://cabsfromheathrow.com/userfiles/file/wefazidolob.pdfIn PDF document text
    • https://amartzon.store/wp-content/plugins/super-forms/uploads/php/files/65738891cc32e0f550b7f7e5b487134b/17876569770.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/BvfzZFkJO3s/uplcv?utm_term=server+2008+r2+download+32+bitPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cb95.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCB95 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000e3a6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE3A6 17356 bytes
SHA-256: b33810f93c86c6f6e61fac71f764fb79603f968d7b68e324eed0dd239222c4d8
font_02_sfnt_off0000fdbe.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFDBE 16236 bytes
SHA-256: f640ab98bb75f8b478cac1233534c5c6322c928a595d1632fb8615f0905ff479
font_03_sfnt_off000127ec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x127EC 11060 bytes
SHA-256: 8d4773a7f409120a9c7ed100036001de0100d2d2849e519854666325bf110185