Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1a4c5db020681fe…

MALICIOUS

PDF

88.1 KB Created: 2021-08-07 23:20:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: fc07f89d6f82d8380e68c2c7dd2d6c95 SHA-1: 21d6b0ff406268780e20c512a1100e3047b09745 SHA-256: d1a4c5db020681feb1e7262e346aef4cc1f4f63409e3f65647671a4bf69c1627
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous external links, many of which point to compromised WordPress sites or disposable hosting, indicating a link farm designed to distribute malicious content or phish users. The ML classifier and ClamAV detection strongly suggest malicious intent, with the file being identified as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9975

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crewmak.ru/uplcv?utm_term=acunetix+web+vulnerability+scanner+10.5 PDF link annotation
    • http://a-daily.jp/app/webroot/contents_img/files/dufekejodozi.pdfIn PDF document text
    • http://www.rec39.ru/wp-content/plugins/super-forms/uploads/php/files/1d800b76e61210f26700744c8492fee6/80259159951.pdfIn PDF document text
    • http://hani-bee.com/userfiles/files/80560799479.pdfIn PDF document text
    • http://sonnenheizungen.ch/fckeditor/editor/images/file/6447953487.pdfIn PDF document text
    • http://sumtinathholidays.com/admin/uploadfiles/file/83707623542.pdfIn PDF document text
    • http://staropolski.net/Upload/file/tusesikobezuruniresutujez.pdfIn PDF document text
    • http://www.jimenez-casquet.com/wp-content/plugins/formcraft/file-upload/server/content/files/160abd5e5a700e---59592195877.pdfIn PDF document text
    • https://orrizon.ru/images/file/61866972273.pdfIn PDF document text
    • https://www.vbclighting.com/wp-content/plugins/super-forms/uploads/php/files/bde4c811d9c2bb652814804dbc75bfd5/56356210540.pdfIn PDF document text
    • https://www.pharmaright.ca/wp-content/plugins/super-forms/uploads/php/files/opbrrpdco5o3l9nmrdvkjtbjo0/36191368978.pdfIn PDF document text
    • http://jockmurray.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ac2feb93bd3---pekuzejazutesip.pdfIn PDF document text
    • https://anfauglir.com/images/file/buzonubepazova.pdfIn PDF document text
    • http://xn----7sbbgprpk7biiq.xn--p1ai/admin/ckfinder/userfiles/files/guxakiva.pdfIn PDF document text
    • http://stuarteisbrucklaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/36245523298.pdfIn PDF document text
    • http://maychamsocda.vn/images/userfiles/file/xunozugipesitejikuku.pdfIn PDF document text
    • http://tecsun-moscow.ru/docs/file/lodowutilunuwo.pdfIn PDF document text
    • http://zadonskiy.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160b60be34d66e---relulutedusokasenadapi.pdfIn PDF document text
    • https://indacphuc.com/wp-content/plugins/super-forms/uploads/php/files/duohh6n9um9ffjom119b14jih6/73507885799.pdfIn PDF document text
    • http://neonatal-surgery.ru/userfiles/files/46144628977.pdfIn PDF document text
    • https://rmdschoolandcollege.com/wp-content/plugins/super-forms/uploads/php/files/h806rfted7nme18cr8f8ns1gg2/nepowezu.pdfIn PDF document text
    • https://greenturtleproductions.com.au/wp-content/plugins/super-forms/uploads/php/files/9d783ddc272b7b88ac7e78d5cbe45b35/talizi.pdfIn PDF document text
    • https://comtraining.cl/userfiles/files/nomojejopeb.pdfIn PDF document text
    • http://zcapitalcrm.com/app/webroot/uploads/files/kegoxuletipugusu.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eda6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEDA6 18928 bytes
SHA-256: 8e5a0892138bafe0317e37f2646956b0fd143a7cdec8ebc84b2881b621017a5b
font_01_sfnt_off00011f38.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11F38 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off0001374f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1374F 11068 bytes
SHA-256: ccc1288045497975a52920ca0345ee5be348614c837ba7c08ad047b842892310