Malicious PDF — malware analysis report

Static analysis result for SHA-256 c8783201e726ac97…

MALICIOUS

PDF

91.3 KB Created: 2021-05-31 18:22:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9415d14aaf7e731591ee12c8aaf63167 SHA-1: d1caa0cf8eef79aaada843fbe4ed68f04b6cd47f SHA-256: c8783201e726ac979ac4b1cb1c49f1231419684e264165442feda1f16d397c74
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple links pointing to compromised WordPress upload storage, suggesting it's part of a phishing campaign. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were directly extracted, the PDF structure and embedded URLs are indicative of a phishing lure designed to trick users into downloading malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://blackknowledge.com/wp-content/plugins/super-forms/uploads/php/files/dc4d05d975fb154310df297787756a09/lugufumemizal.pdf
    • https://amkboiler.com/wp-content/plugins/super-forms/uploads/php/files/jsadripe7df3djn974mjq2maev/paniwi.pdf
    • http://training-solutions.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160a9865d27bff---94386325235.pdf
    • http://opalsolar.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1606eafc472e04---palowovedagaxoju.pdf
    • http://xn--90ad5ackt1d.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/96dbfccafc321c8cc31572c297f2d5ec/pidor.pdf
    • http://ruresept.ru/files/file/bukidumarupoguzoboxaduvux.pdf
    • http://lbs.ac.at/wp-content/plugins/super-forms/uploads/php/files/jr8sfvtklic163qkflh09vec7o/62384605063.pdf
    • https://www.alignerco.ca/wp-content/plugins/super-forms/uploads/php/files/d78086661f05f41ddb7b571fd047b5b2/kefamilesazanabimisefu.pdf
    • https://luxartparquet.com/wp-content/plugins/super-forms/uploads/php/files/3bf868db1007c8df8d850987df93c91c/remugaloleluzoluvivi.pdf
    • http://skuplaptop.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160a91cec1495a---dewudekuxon.pdf
    • http://ar-intl.net/wp-content/plugins/super-forms/uploads/php/files/uueopgbq8ng7v51oojv0bf1rd6/girudererororirekotowafu.pdf
    • https://monacollection.ua/wp-content/plugins/super-forms/uploads/php/files/a8dd3ad80984631338e344aa5ee2c623/vowegiruvutajesuxaxaf.pdf
    • https://alkhairi.co.uk/wp-content/plugins/super-forms/uploads/php/files/2a147e3cdbc0c095669aae7acbfde850/golumagivenidiparu.pdf
    • https://ipcare.nl/wp-content/plugins/super-forms/uploads/php/files/cee14rp7qtereun90pfhs5ee6s/45802041711.pdf
    • https://stellabakingcompany.com/wp-content/plugins/formcraft/file-upload/server/content/files/16098a5d9dfc73---dekefovosenewivukezixaf.pdf
    • https://uaqbakery.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607764aa91f7f---1084639865.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://feedproxy.google.com/~r/Uplcv/~3/YTWXjIUwRh0/uplcv?utm_term=super+mario+bros+64+rom+hack+download
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001166c.bin
51fddb72399f414960401ed550a45255cd0932b3cfa1fc439fdbec0610aa2353		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1166C 5756 bytes
font_01_sfnt_off000129d4.bin
c4df18142d04938959c0e89e47731b3f6deda9d6c03c543c4bf66136af4ed09e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x129D4 12028 bytes
font_02_sfnt_off0001521a.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1521A 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.