Malicious PDF — malware analysis report

Static analysis result for SHA-256 c9d02c51700aa68b…

MALICIOUS

PDF

92.1 KB Created: 2021-06-13 19:11:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9a28d9f281c1752af955a0377bb7f508 SHA-1: b4c40aae14ca79dfae9d03783f204ddd1c8ec990 SHA-256: c9d02c51700aa68b5e0a0abf845868ef6d37490bc702a39f8a8acb6d8fc24d4f
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple links to external websites, many of which are hosted on compromised CMS platforms or disposable domains, suggesting a link farm for phishing or malware distribution. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or delivering a secondary payload. No scripts were extracted, but the presence of numerous suspicious URLs points to a watering hole or phishing attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://drafthe.ru/uplcv?utm_term=speakout+upper+intermediate+2nd+edition+teacher%2527s+book+pdf
    • https://www.heracles-hotel.eu/wp-content/plugins/super-forms/uploads/php/files/f28h0e45etvodb4nk4strs4dus/xijelisomi.pdf
    • https://www.opdrrustukalac.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607841d4f171a---37352984004.pdf
    • https://www.physioaktivkramer.de/wp-content/plugins/formcraft/file-upload/server/content/files/160c167f6ee724---ponufobenidafadakogo.pdf
    • https://levin-dent.ru/wp-content/plugins/super-forms/uploads/php/files/499aaa16309c8d3782f437c9a2adca96/58021597552.pdf
    • https://designcoordinators.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f2c2cc057e---35994180626.pdf
    • http://rainbowcaterers.in/userfiles/file/92380948321.pdf
    • http://aberdeeneyes.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160a5fcf32a48d---54167675975.pdf
    • http://actionelectric.pt/www/wp-content/plugins/formcraft/file-upload/server/content/files/160c1636ff1c50---65699102299.pdf
    • http://getem.plfiles/file/8962332770.pdf
    • http://www.optionassurance.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16072b108eca75---jagijixupabuleri.pdf
    • https://ocvirapuato.com.mx/wp-content/plugins/super-forms/uploads/php/files/5b68b3e53d4719455f76b39eaf6b4c4b/dutuv.pdf
    • http://birzebbugastpetersfc.com/files/file/3352747933.pdf
    • http://www.theagentpipeline.com/wp-content/plugins/formcraft/file-upload/server/content/files/16089dc03269eb---74385708062.pdf
    • https://planet-pvc.com/upload/files/85278825316.pdf
    • https://schreinerheusi.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607200cfecb0e---beluvufijedetutomomepido.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012662.bin
ddb45e4cd060f8cff901c36908c86cbfd0b0fca97bdb56b9b892ee63d4f2f9ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12662 5836 bytes
font_01_sfnt_off00013a1b.bin
658ed3a5746d3ad7fcfa23fe075af49ac7208495e14921968c9ea658701e1932		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13A1B 12692 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.