Malicious PDF — malware analysis report

Static analysis result for SHA-256 d10c16097f068867…

MALICIOUS

PDF

89.9 KB Created: 2021-07-10 08:09:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-20
MD5: b58b3319c07d93164bc05d0828c72fff SHA-1: 76eb70a3242436aaa0e1b1bc9d4c4c9e62f94fd5 SHA-256: d10c16097f068867cbe7cc1b4f731d2d123c29a886fe7ee632949b1d5d71f252
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. The document contains numerous links to compromised WordPress sites, suggesting an attempt to redirect users to malicious content. The presence of 'preauthorization for medication' in a URL parameter indicates a potential lure for phishing or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9942

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://adm.allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/3e47b542abe0555807bfed1bd0f836d0/64371994310.pdf In PDF document text
    • http://plusbateria.com/wp-content/plugins/formcraft/file-upload/server/content/files/160721d73a36e5---25023504158.pdfIn PDF document text
    • http://beming.com/ressource/site-image/files/fonejapuzozukexevitu.pdfIn PDF document text
    • https://arihantgranites.in/wp-content/plugins/super-forms/uploads/php/files/jr187rlc364r0f44rnforuljn7/98384304891.pdfIn PDF document text
    • http://edu-family72.ru/content/images/uploads/file/saganaroloje.pdfIn PDF document text
    • https://laxmigrouppune.com/wp-content/plugins/super-forms/uploads/php/files/17e3aac48205d664a74512a6cd407c17/kifikozifexubiwiluridiwog.pdfIn PDF document text
    • https://purpleleafestatebuyers.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609011fe60ed6---firuvivexor.pdfIn PDF document text
    • http://varanini.pl/userfiles/file/1141312602.pdfIn PDF document text
    • http://laclonghotel.vn/upload/files/96390120467.pdfIn PDF document text
    • http://hamdard.com/hamdard/app/webroot/img/ckfinder/userfiles/files/75523778967.pdfIn PDF document text
    • http://pocatellocampfire.com/wp-content/plugins/super-forms/uploads/php/files/g2odub0bj3m01n7oou6c0c0qir/49842629397.pdfIn PDF document text
    • https://avenirpourtous.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160a27edcc0597---vupegibusonikofotujo.pdfIn PDF document text
    • https://slavica.ru/wp-content/plugins/super-forms/uploads/php/files/759c9dc3098cf50462e0e10e542a8eb9/2311050938.pdfIn PDF document text
    • https://mumegram.com/userfiles/file/mokuzigisatiwaxu.pdfIn PDF document text
    • https://biocoils.com/img/file/kunare.pdfIn PDF document text
    • http://www.aadhar-interior.com/userfiles/file/82594073357.pdfIn PDF document text
    • https://hotelristorantenovecento.it/wp-content/plugins/super-forms/uploads/php/files/6855fa837895e9ea6c5387b4efa80421/67403464941.pdfIn PDF document text
    • http://bfr-bialapodlaska.pl/userfiles/file/jifuka.pdfIn PDF document text
    • http://asckhn.com/acskhn/userfiles/file/63962830521.pdfIn PDF document text
    • https://www.limratechnologies.net/wp-content/plugins/formcraft/file-upload/server/content/files/160da3f967da29---59731859070.pdfIn PDF document text
    • http://www.patriarca-batiment.com/ressource/site-image/files/luvag.pdfIn PDF document text
    • https://alexandrapanayotou.com/web/images/static/file/54565504569.pdfIn PDF document text
    • http://nelly-design.ru/upload/files/kinamatafoz.pdfIn PDF document text
    • https://heatingboiler.ca/fck_upload/file/32582681178.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/zMnd8XtcwSM/uplcv?utm_term=preauthorization+for+medicationPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fcad.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFCAD 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off000114bf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x114BF 17324 bytes
SHA-256: 8b590605b4924f336490f1e2294fdb1c17b0d3dcb1f48e4a143a02839d996092
font_02_sfnt_off00014212.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14212 10688 bytes
SHA-256: 41036966d4d5c580b24dccf2c67881730e512c479717caa3ab34936407a3e28c