Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc264a27cdc74f6d…

MALICIOUS

PDF

88.6 KB Created: 2021-07-07 13:04:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-14
MD5: d9eb4a0fb4afe630aa09cbe58b2d4811 SHA-1: e7c557ce8b0a3608fa5f2e4851d65a3f46b2c196 SHA-256: cc264a27cdc74f6d523024522151aa85692198ee613177760d549a6fdc8f9da1
236 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document exhibits social engineering tactics, specifically a 'ClickFix' lure, instructing the user to copy and paste commands into a terminal. This is a common method to bypass macro restrictions and trick users into executing malicious code. The document also contains numerous links to potentially compromised websites, suggesting it may be part of a phishing campaign or used to host further malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9942

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://calmoinc.com/upload/editor/file/regipazevijinifukax.pdf In PDF document text
    • https://www.digitalsofts.com/wp-content/plugins/formcraft/file-upload/server/content/files/16080426420cbb---52631809828.pdfIn PDF document text
    • https://lastcallslc.com/wp-content/plugins/super-forms/uploads/php/files/65b71f0168c6a77d376b237bf05411a1/4847675808.pdfIn PDF document text
    • http://alibabashipping.com/userfiles/file/sokinitopason.pdfIn PDF document text
    • http://stellamaris.cz/userfiles/nusafetakoxadijenikuko.pdfIn PDF document text
    • http://somsit.com/ckfinder/userfiles/files/19791237751.pdfIn PDF document text
    • https://pabausa.org/wp-content/plugins/formcraft/file-upload/server/content/files/16082480474fdc---marajudisigobipovijokofa.pdfIn PDF document text
    • https://him-home.ru/wp-content/plugins/super-forms/uploads/php/files/935eda58e77bfbb3c22ed6049ee32c6b/kekobunulesumeperatov.pdfIn PDF document text
    • http://expresskaliski.info/file/lomosek.pdfIn PDF document text
    • https://matskaren.se/anvandarbilder/203/files/95624721134.pdfIn PDF document text
    • http://rothemtour.com/FileData/ckfinder/files/20210701_46E9621B42A6F748.pdfIn PDF document text
    • http://iwish-cosmetics.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ac7022f3154---fopusexifubokokufuj.pdfIn PDF document text
    • https://costumeworld.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607504402f482---vexolamebijisavug.pdfIn PDF document text
    • http://ahkjt.com/upfile/file/vigekozolilamokuk.pdfIn PDF document text
    • https://www.adler-leitishofen.de/wp-content/plugins/formcraft/file-upload/server/content/files/160b3c9eeea7c1---nubeduvixozetaluxoxanadu.pdfIn PDF document text
    • http://albatrossmrn.com/konadnew/userfiles/file/nazipomatix.pdfIn PDF document text
    • http://www.misshandicap.ch/wp-content/plugins/formcraft/file-upload/server/content/files/1607522ef9b8e9---tijizabujumetone.pdfIn PDF document text
    • http://www.pointcookelectrician.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16078ab391cfb7---83507035190.pdfIn PDF document text
    • https://saatyapi.com/upload/ckfinder/files/rorofales.pdfIn PDF document text
    • https://agenciaboom.com/wp-content/plugins/super-forms/uploads/php/files/8s527mdg22fu82a4tuq9fijbu1/3445114889.pdfIn PDF document text
    • https://razdolle.by/wp-content/plugins/super-forms/uploads/php/files/3p3fdh5itrbatub7vft9kimgj7/bofuvuxoximimar.pdfIn PDF document text
    • https://edu-mate.kr/_UploadFile/Images/file/27227106578.pdfIn PDF document text
    • https://sanidom.pl/img/file/30756699274.pdfIn PDF document text
    • http://www.caslyn.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1606f6b4cbe007---28599531519.pdfIn PDF document text
    • http://cobansut.com/userfiles/file/jazota.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/DOqCt-cVA4I/uplcv?utm_term=no+man%27s+sky+save+game+locationPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f4eb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF4EB 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off00010cfd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10CFD 18228 bytes
SHA-256: 182c8e63e377328f1faad2f20d62fe6c3a470023e85e8efe24b14c8e8626dd12
font_02_sfnt_off00013c60.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13C60 10756 bytes
SHA-256: 8e12e205c325d7a92a16592a3c41ad697e2edb121e482d2db21d42e787e7ea00