Malicious PDF — malware analysis report

Static analysis result for SHA-256 c9f3b1263707ca2f…

MALICIOUS

PDF

259.1 KB Created: 2021-06-14 14:54:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-04
MD5: e7648fe188cf20c0f638b93daed4176e SHA-1: c0e37867809ecf7a3eec408f9f0dd4dbb3f4162c SHA-256: c9f3b1263707ca2fb36f12a689cb03a598cf1a95a0f3cf747b3f26ee117c7c74
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm, many hosted on compromised CMS upload directories. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9945

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://huntic.ru/uplcv?utm_term=piggery+project+proposal+pdf PDF link annotation
    • https://www.ptlittleflower.org/wp-content/plugins/super-forms/uploads/php/files/48h2s6u5umkfjuvmp4rpnm4gi5/36152192559.pdfIn PDF document text
    • https://imapcb.org/wp-content/plugins/super-forms/uploads/php/files/j9ibudp5dh7r9rbe1837dsspo4/43875199494.pdfIn PDF document text
    • https://minutesnap.com/wp-content/plugins/super-forms/uploads/php/files/929162f5bd6bcaf070688f756a455810/37663430563.pdfIn PDF document text
    • http://www.oknookna.pl/wp-content/plugins/formcraft/file-upload/server/content/files/1607232e4c370c---46008060308.pdfIn PDF document text
    • https://k9-warrior.com/wp-content/plugins/super-forms/uploads/php/files/fkj2rn2ksvdfg3o6lj5kkq4ue6/wedipugixom.pdfIn PDF document text
    • http://bclgrouptt.com/userfiles/file/28493042945.pdfIn PDF document text
    • https://118highschool.am/wp-content/plugins/super-forms/uploads/php/files/428e2558b0132fa40eac605039508765/zirumoxefud.pdfIn PDF document text
    • http://donghozibistore.com/luutru/files/85439739644.pdfIn PDF document text
    • http://rocb-ap.org/file_media/file_image/file/35984598320.pdfIn PDF document text
    • http://prodesign31.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1608270cfe856e---vaxorekara.pdfIn PDF document text
    • http://www.barankayalar.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/16074a5f224400---sewef.pdfIn PDF document text
    • https://www.goldenplanet.dk/wp-content/plugins/formcraft/file-upload/server/content/files/160b605414e096---63226233629.pdfIn PDF document text
    • https://jjmassociates.com/wp-content/plugins/super-forms/uploads/php/files/8b6a002dba021b18a52640d8ee347021/52436376218.pdfIn PDF document text
    • http://fontawesome.iohttp://fontawesome.io/license/In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0003b57a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3B57A 1872 bytes
SHA-256: cf373f8eb364677dc8d29ae0cbe658a1b8665e9067f0cd69b3a2e84d4b370a53
font_01_sfnt_off0003be6e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3BE6E 5500 bytes
SHA-256: c5500ba62415288e18472053a6030845f47f86480e8a1902ad18709b10032ff3
font_02_sfnt_off0003d143.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3D143 12716 bytes
SHA-256: d50a92322e0630c20f404b541e0235f78e021a049b87cbc83b5f12f7aceea290