Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1a6a44c09371910…

MALICIOUS

PDF

82.0 KB Created: 2021-09-01 00:19:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: 4466dc6156742954d7592a1884609fe9 SHA-1: a89e02077202fbcc6b4ddd1f9bd91896f7e3b8d6 SHA-256: d1a6a44c09371910169a1d7c259f2286f2581a71e022f07454ed845e446a283d
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links to compromised WordPress sites, suggesting it is part of a link farm designed to distribute malicious files. The presence of a 'download button' heuristic further supports a lure-based attack. ClamAV detection as 'Pdf.Phishing.Trojan' and ML classification confirm its malicious nature, likely as a phishing or trojan delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.uvhk.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a6f0fa0fa74---govav.pdf In PDF document text
    • https://bangvetthuong.com/luutru/files/bedukawowofapitebutonamu.pdfIn PDF document text
    • http://gruppocinofilomarsalese.com/userfiles/files/gizixivunitivadaf.pdfIn PDF document text
    • https://paperland.bg/uploads/file/jenojusok.pdfIn PDF document text
    • http://www.dnevi-sekretarjev.eu/wp-content/plugins/formcraft/file-upload/server/content/files/16087b837cbaa7---58921780213.pdfIn PDF document text
    • https://csom.cz/wp-content/plugins/super-forms/uploads/php/files/a5f1134b8bef207174064a7e6d3b9989/bebixase.pdfIn PDF document text
    • http://bawaconstructions.com/editorData/file/fifafivadurusaxovageluxar.pdfIn PDF document text
    • https://www.penyembuhanholistikreiki.com/wp-content/plugins/formcraft/file-upload/server/content/files/1610a24e0af86b---tadita.pdfIn PDF document text
    • http://www.plain-pied.com/editeur/ckfinder/userfiles/files/sixiwiz.pdfIn PDF document text
    • https://globalazeri.az/wp-content/plugins/super-forms/uploads/php/files/g13eu921tfovj25qf0mtq7oav7/kuganetolepetiriniduganil.pdfIn PDF document text
    • http://xn--b1ahhafccpgkb2bxo.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/f74fd626eb0e7bd34ef937c89f4aea92/18612349368.pdfIn PDF document text
    • http://plenar.hr/wp-content/plugins/formcraft/file-upload/server/content/files/161216b156c24e---86723078328.pdfIn PDF document text
    • https://divorcioconsensual.com.br/wp-content/plugins/super-forms/uploads/php/files/04edb89bad11e439189d8c2ce5b6f969/xosefiwuxabagome.pdfIn PDF document text
    • https://actor-conseil.com/files/file/latureradejelimadip.pdfIn PDF document text
    • http://theeultimatenetworker.com/ckfinder/userfiles/files/59390858823.pdfIn PDF document text
    • https://airshow-bg.com/file/pasetapexitepetoto.pdfIn PDF document text
    • https://digiconelectronics.com/media/nimafaxij.pdfIn PDF document text
    • https://www.harnoordesigns.com/wp-content/plugins/super-forms/uploads/php/files/40fr4hr1uqdm4pu79m0ajprng2/xelukomevozit.pdfIn PDF document text
    • https://samavetpharm.com/userfiles/files/94304019298.pdfIn PDF document text
    • http://b-solutions.net/userfiles/file/xamore.pdfIn PDF document text
    • https://arichaindia.com/userfiles/file/bujaxexufugotarelir.pdfIn PDF document text
    • http://hattrick-sports.com/wp-content/plugins/formcraft/file-upload/server/content/files/160adbbb6dbf4c---31945931810.pdfIn PDF document text
    • https://www.tctnanotech.com/wp-content/plugins/super-forms/uploads/php/files/6cab9b8b2fa9259f4df2988e57ee5e0c/gifivitosawexegojifew.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/BkSY9tpko7c/uplcv?utm_term=decision+analysis+for+management+judgment+5th+edition+pdfPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d75d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD75D 11544 bytes
SHA-256: fd56897e26f787ce0b9d1df38ea9c64b7a98fe750e8303ac749deaf85cf9085a
font_01_sfnt_off0000f26a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF26A 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00010a7c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10A7C 18188 bytes
SHA-256: ef5f74b54f77631cd59c5d748b51145fc21d07b72af7121aa8891080174db009