Malicious PDF — malware analysis report

Static analysis result for SHA-256 d2867491fa41beb6…

MALICIOUS

PDF

86.8 KB Created: 2021-06-27 13:31:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: a6924eeafa84af483a425467e0a7384e SHA-1: 8f458deb7da2dd950a6c0ac47b2a307dc54fbe01 SHA-256: d2867491fa41beb6488da90aaf9ec9c89c61cc680b749c1d016996c9cfec7e52
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous embedded URLs, many pointing to compromised WordPress sites or disposable hosting, suggesting it's part of a link farm used for phishing or malware distribution. The 'SE_CALLBACK_LURE' heuristic indicates the document likely prompts the user to call a phone number, a common tactic in tech-support scams or callback phishing. While no scripts were explicitly extracted, the ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9942

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crysiq.ru/uplcv?utm_term=use+of+cantharis+30
    • https://addsfly.com/userfiles/file/neluda.pdf
    • http://chinhsuasolieu.com/media/files/jewasig.pdf
    • https://holzhaus-suedtirol.it/wp-content/plugins/formcraft/file-upload/server/content/files/1609444460426b---bofusozuwibov.pdf
    • https://cosalesrep.com/wp-content/plugins/super-forms/uploads/php/files/fbaf3b814c9b28d7a244834d0456b1d3/kadobupegozijafuf.pdf
    • https://law.com.sg/wp-content/plugins/super-forms/uploads/php/files/a672aeab02bf67846cd4c7b8bbb220e2/kawiwiletefo.pdf
    • http://clinicacomciencia.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160c2c67e16e63---96074822739.pdf
    • https://vakukh.ru/wp-content/plugins/super-forms/uploads/php/files/42f590b018b732a45b1cb421e7a0e17a/zuwonobirog.pdf
    • http://gilendor.cz/userfiles/file/wikurusokavo.pdf
    • https://givemeit.ru/wp-content/plugins/super-forms/uploads/php/files/0b1a7827d87562e405a18f55ead9b951/73521853859.pdf
    • https://www.quatainvestimentos.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16077c1581cb09---xomazunamapikonurunomowip.pdf
    • http://counterreaction.net/wp-content/plugins/formcraft/file-upload/server/content/files/160adf971d1976---50138474240.pdf
    • http://sarahscupcakery.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b18fcbd5964---tibedafimedigunat.pdf
    • http://galgalesh.com/userfiles/file/90745805579.pdf
    • http://gramercygrand.ru/files/file/45271835064.pdf
    • https://craftsmancuttingdies.com/wp-content/plugins/super-forms/uploads/php/files/fp4gl6sinqbhplhhadqfkvqgok/71531630598.pdf
    • http://teormech.ru/teormech/usrimg/file/91078836178.pdf
    • http://hurtmar.pl/Upload/file/79565527323.pdf
    • https://www.lesson-online.org/wp-content/plugins/super-forms/uploads/php/files/qp6npuf2bvprvv50jvke7cem53/23300846027.pdf
    • https://engravestone.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c94b2d9f59b---lufemorerave.pdf
    • http://frederickfollows.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16075eafadb84a---18520684134.pdf
    • http://bafiti.com/sklep/userfiles/file/96365995571.pdf
    • http://alnoorcity.com/userfiles/file/moresiluxixolo.pdf
    • http://srividyaastrology.com/userfiles/file/89637109868.pdf
    • http://humanitool.ru/userfiles/file/desodanusubel.pdf
    • http://synthecinter.com/userfiles/files/lazuvekuxatamabegebo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eed4.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEED4 16792 bytes
font_01_sfnt_off000106e6.bin
ddf74e14b4c3bfeca9cc463e4ba59cb2525a45c603f94ee49474d4be1016bccd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x106E6 17960 bytes
font_02_sfnt_off0001359e.bin
c0faa4476fb807ee6567bd00681d76df0e765a33c6ce21546720f87265067ac8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1359E 10688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.