Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc37bd06de10b56b…

MALICIOUS

PDF

95.8 KB Created: 2021-06-29 01:24:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: efaecf3000ee7a2edc1490d11bfb420b SHA-1: 3869104f27b6ef3adbc6d619f3ff26674f5a6691 SHA-256: cc37bd06de10b56b275c8008db20431e81768d054b083cb802253ffd6589bfe3
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and by an ML classifier as malicious. It functions as a link farm, containing numerous URLs pointing to compromised WordPress sites and disposable hosting. These links likely serve as a lure to redirect users to malicious content or phishing pages, potentially leading to further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9786

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cructi.ru/uplcv?utm_term=famous+fishball+noodles
    • https://skazkavdom.com/wp-content/plugins/super-forms/uploads/php/files/37d034c8d2d14c045072dd0a9a124f87/18602972342.pdf
    • http://countrysquirefoods.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607204e0c71b6---texajafonokaxepugubewig.pdf
    • http://aryajob.com/user_upload/file/34372617715.pdf
    • https://nam.it/wp-content/plugins/formcraft/file-upload/server/content/files/16071ea2ab32b4---52842003498.pdf
    • https://bwawarszawa.pl/upload/file/30398589214.pdf
    • http://arcomproltd.com/userfiles/file/faruwewumumuxategew.pdf
    • http://thrifty-uy.com/files/others/91422134915.pdf
    • http://heibldr.hu/FCKfeltoltott/file/zimemisekokuvoritusureti.pdf
    • https://masterpieces-mallorca.com/wp-content/plugins/super-forms/uploads/php/files/77c6ac3e1f479e094347798ae99c3e65/fetiwisufemonuze.pdf
    • http://aire-limpio.com/img/editor/file/56375532248.pdf
    • http://www.siscard.com/wp-content/plugins/formcraft/file-upload/server/content/files/16075e370cc995---gokovifaduwevoguzonoxisif.pdf
    • https://www.hdcorp.com.br/wp-content/plugins/super-forms/uploads/php/files/e10be2vvd58sggalj53ba8qu6d/1210103070.pdf
    • http://jarosi.hu/files/file/69892371671.pdf
    • http://piqiso.ru/userfiles/file/nejuzezikenis.pdf
    • http://quickfix-poland.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b6b0a0e51cf---32284009738.pdf
    • http://www.klpreschool.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d3a45b302d---44208367162.pdf
    • https://thriveelearning.com/wp-content/plugins/super-forms/uploads/php/files/1c39655c90053ed08739e11d96ff42d9/50541850161.pdf
    • https://betonwerkendejonge.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160c76ff905103---78948861187.pdf
    • http://jeugdopdewetenschapsagenda.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1609b4386445e9---xolad.pdf
    • http://xn--90ad5ackt1d.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/bb383a5d07f5ca4634d958483e64bd2d/55920409167.pdf
    • http://www.empresasdelimpeza.info/wp-content/plugins/formcraft/file-upload/server/content/files/160c1917e7a95a---70380738051.pdf
    • https://areicon.com/images/file/tapafojuvub.pdf
    • https://mercedesmazo.es/wp-content/plugins/formcraft/file-upload/server/content/files/160803b6f75051---45265103080.pdf
    • http://bezpieczna-strefa.pl/wp-content/plugins/super-forms/uploads/php/files/f0812437e9bc1ae8f82ef3fd43fdb7a1/41755962238.pdf
    • http://elonsummerstorage.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606ce39ec589a---3178873435.pdf
    • https://heritagelogs.com/wp-content/plugins/super-forms/uploads/php/files/lm5d28i3if92lnp3r8i8u0gvmj/zuvoziwubal.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010149.bin
f0bc17824ee38ecf83c44fa58bf8d07b08cc6502dfa1a05111ed63496c4d3c79		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10149 4304 bytes
font_01_sfnt_off00011113.bin
b78eaaea62b64e0364e65224142f4b18648961f273a0cccff7a24686d8eae012		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11113 10640 bytes
font_02_sfnt_off00012922.bin
56cd7be2d6e3357544559024f57a1fb58b58ad8573e3d60e722374f2c17e0ac1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12922 18172 bytes
font_03_sfnt_off0001591f.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1591F 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.