Malicious PDF — malware analysis report

Static analysis result for SHA-256 c9ff890759f6f2d5…

MALICIOUS

PDF

177.0 KB Created: 2021-06-28 07:11:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 326cbd4bca676cc81e3213d1f684544a SHA-1: 586e1ac1089c051d259ca667082e51dc7ea8d779 SHA-256: c9ff890759f6f2d52ef4c58e3322f05221aa4af354c3d514700fc47beecb1d28
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous links, many pointing to WordPress sites utilizing the 'formcraft' or 'super-forms' plugins, suggesting a link farm designed to distribute malicious content. ClamAV and ML classifiers identified this PDF as malicious, specifically flagging it as a phishing trojan. The presence of multiple distinct hosts and the use of UTM parameters in some URLs indicate an effort to obscure the true destination and potentially leverage SEO tactics for distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9652

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://subarini.ro/mm/file/31246697647.pdf
    • https://pankalconstructora.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609229a4a0279---wewigiv.pdf
    • https://www.gsccn.it/wp-content/plugins/formcraft/file-upload/server/content/files/160866ad31dae4---15008190725.pdf
    • https://thriveelearning.com/wp-content/plugins/super-forms/uploads/php/files/09b01d4bd358850f26d687090890ca3d/79011358512.pdf
    • http://becro-plast.hr/wp-content/plugins/formcraft/file-upload/server/content/files/1606c965c62f35---jebuvubopu.pdf
    • https://baodinhsolar.com/wp-content/plugins/super-forms/uploads/php/files/u7t391iufjbc3lptatjnl4vmiu/62680089013.pdf
    • https://marljivo.hr/userfiles/file/gupebufire.pdf
    • http://kyanite.tv/userfiles/file/tokikokorejufe.pdf
    • https://ludifrance.fr/userfiles/file/wuwimijibakusujever.pdf
    • https://tkpmission.org/wp-content/plugins/formcraft/file-upload/server/content/files/160c48c82b5f08---pelawox.pdf
    • https://arnetbilgisayar.com/upload/ckfinder/files/46609522736.pdf
    • http://wmc21.com/ckupload/files/97794884924.pdf
    • http://cristal-in.fr/userfiles/file/35540630591.pdf
    • https://shinyjewellers.com/wp-content/plugins/super-forms/uploads/php/files/2qhqc9ngv9skvpdrsgmih7floe/xanipavufugir.pdf
    • http://brmhn.com/userfiles/file/20210525064801_a4tz00.pdf
    • http://entone.es/wp-content/plugins/super-forms/uploads/php/files/95c2ff6dc8652722a9082e6a6e6ad2eb/garoxetupa.pdf
    • http://bubblesoflove.net/wp-content/plugins/formcraft/file-upload/server/content/files/160af052cd23e5---65454471160.pdf
    • https://howardsteeves.com/wp-content/plugins/super-forms/uploads/php/files/55df107bae92deefba45f98ef4556304/44112962071.pdf
    • https://artsketch.ru/wp-content/plugins/super-forms/uploads/php/files/755816a0b8b61f1edb5c580951ad88a9/32127708129.pdf
    • https://interesttour.com/wp-content/plugins/super-forms/uploads/php/files/364ec53d2653a5c062c1d477ea0e1409/jeladibatunowokam.pdf
    • https://eitmedu.in/ckfinder/userfiles/files/12920724292.pdf
    • http://business-plan-capalpha.eu/mbp/upload/images/images/upload/ckfinder/10415188941.pdf
    • http://www.norestim.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1608a9e0c2e967---65376620450.pdf
    • http://pvsystreports.com/wp-content/plugins/super-forms/uploads/php/files/rslfql2bf80808n9u5l391f3c6/82313668505.pdf
    • http://www.lbf-cosmetics.com/website/wp-content/plugins/formcraft/file-upload/server/content/files/160874de19e179---wikasofasobepodofopuxa.pdf
    • https://feedproxy.google.com/~r/skout/mBVl/~3/1KS0DP0cxss/uplcv?utm_term=foul+smell+meaning
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001b473.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B473 16792 bytes
font_01_sfnt_off0001cc8a.bin
9e9d64d7188cdaca6d409d9a0a60d075192bb3e3a904457729b042f1930ce9da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1CC8A 10328 bytes
font_02_sfnt_off0001e3c3.bin
486412542c2eadc6db221d03b8e42fb9746c7a00d17300b0e90cb0c4fcd4b3c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E3C3 19784 bytes
font_03_sfnt_off00021763.bin
6de5631c95600134f89d7e92437e1fd1570cbc802e74b8d421e33c64e34b9219		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21763 61620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.