Malicious PDF — malware analysis report

Static analysis result for SHA-256 d27d1b68d8488152…

MALICIOUS

PDF

76.7 KB Created: 2021-06-14 00:52:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0c48cda71364f2ce4ecc3047c95151d5 SHA-1: 42db9b6640bab6560987d4721e35af43fb85c204 SHA-256: d27d1b68d8488152b5c5e47fe3df44a2eeb91d2df6409f0dcfe9a10efd17c7ee
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF was flagged by multiple heuristics as malicious, including a critical ClamAV detection and an ML classifier. It contains numerous links to compromised websites and utilizes a 'download button' lure, indicating an attempt to trick the user into downloading a secondary payload. The presence of multiple distinct hosts and the use of compromised CMS upload storage suggest a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://medvor.ru/uplcv?utm_term=design+of+analog+cmos+integrated+circuits+behzad+razavi+solution+pdf
    • https://parklanehotel.asia/userfiles/file/42326914650.pdf
    • http://aeskulap24h.de/wp-content/plugins/formcraft/file-upload/server/content/files/16073ff3783fbe---91958443784.pdf
    • https://fmpride.com/wp-content/plugins/super-forms/uploads/php/files/2b7094b72bada7f06766fa3393556381/dodowekele.pdf
    • http://cageart.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160abdcbda0beb---20636336929.pdf
    • https://g-ortho.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16082925ff01fd---bikanarerewoladugupido.pdf
    • https://www.duffylighting.com/wp-content/plugins/super-forms/uploads/php/files/fe3091afe3ece394dc10bb6077c19350/39395954555.pdf
    • http://kingspec.su/wp-content/plugins/super-forms/uploads/php/files/1kbef9phb7fjg1srgc6knfbs2o/begokaraxixim.pdf
    • http://az4group.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160b094b01c5f8---54618439559.pdf
    • http://www.maoles.com/wp-content/plugins/formcraft/file-upload/server/content/files/160986b977ee0c---29203388358.pdf
    • https://homini.eu/wp-content/plugins/formcraft/file-upload/server/content/files/1608e8b110ff8e---pafariwus.pdf
    • http://pensjonatagat.pl/userfiles/file/xirejafop.pdf
    • https://jordanadams.com/ckfinder/userfiles/files/24857576469.pdf
    • https://tenfci.org/userfiles/file/xasuxibubarepimalawe.pdf
    • https://www.letspassdriving.co.uk/wp-content/plugins/super-forms/uploads/php/files/rh51pjh9tsibui3ab5gin6rv01/zojopizoleruwepa.pdf
    • https://zazilha.com.mx/wp-content/plugins/super-forms/uploads/php/files/fce5eb38203be6ae4711f9b9a9a418cc/donibeketunom.pdf
    • http://abapaposentados.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16083e0a84a184---jobefawabiwopujike.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f321.bin
cb4d49199e4d5cf86568e4ddf41857c7f8e58c3b153ddb557b2a82a6f9a570f7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF321 5820 bytes
font_01_sfnt_off000106d9.bin
877c6bda9502c4cc35f59169f8fbc36e541a4e4eb153ad32f855dd026fa08014		 pdf-font-stream PDF embedded font (sfnt) at offset 0x106D9 11256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.