Malicious PDF — malware analysis report

Static analysis result for SHA-256 d4911c6d224aa589…

MALICIOUS

PDF

70.7 KB Created: 2021-09-21 01:29:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-31
MD5: ab0ee0c11f3efcf11dcf6de5982833fa SHA-1: f97956d2011a0cd6c8d7136c4f18d4727693a3d9 SHA-256: d4911c6d224aa589bee17cd60c9f61092e8cfc257a2a73b3e34d4ede2e6e5255
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains an embedded JavaScript stream and numerous URLs, many of which point to compromised or disposable hosting. Heuristics indicate a link farm designed to direct users to external, potentially malicious content. The ML classifier and ClamAV detection strongly suggest malicious intent, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7336

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://karapinarinsaat.net/userfiles/upload/file/63077698542.pdf In PDF document text
    • http://zhengfutz.com/v15/Upload/file/2021919216168592.pdfIn PDF document text
    • http://mardeestilos.es/fotos/file/31371446649.pdfIn PDF document text
    • http://ytlcases.com/userfiles/file/zojipajatumuletufu.pdfIn PDF document text
    • https://www.geosuiteonline.de/wp-content/plugins/formcraft/file-upload/server/content/files/16148fada7bcb2---rufekez.pdfIn PDF document text
    • https://sharidendesignasphalt.com/wp-content/plugins/super-forms/uploads/php/files/08d093215aa6287a603cb56d8a6b1698/19151210914.pdfIn PDF document text
    • http://albergocavour.com/userfiles/files/kubadanifisi.pdfIn PDF document text
    • http://crescentcarpets.com/userfiles/file/mosodiwona.pdfIn PDF document text
    • http://haiqi-machine.com/d/files/71169930706.pdfIn PDF document text
    • https://worldpigment.com/image/upload/File/bifizawekizudafagupi.pdfIn PDF document text
    • http://fuerst-architects.com/uploads/file/suwawax.pdfIn PDF document text
    • http://phdpecs.hu/userfiles/files/84011988860.pdfIn PDF document text
    • http://alpinist.store/sribati/editor/uploadfiles/45108227134.pdfIn PDF document text
    • https://namhunglogistic.vn/site/files/33335035338.pdfIn PDF document text
    • https://auditorescr.com/ckfinder/userfiles/files/pugejumisu.pdfIn PDF document text
    • https://smwebtechnology.com/arishayurveda.com/userfiles/file/wafenopesiponut.pdfIn PDF document text
    • https://eric-parnes.com/ckfinder/userfiles/files/zikumi.pdfIn PDF document text
    • http://www.consorcio.edu.pe/wp-content/plugins/formcraft/file-upload/server/content/files/1613729a755164---niveso.pdfIn PDF document text
    • https://aiwatopup.com/ckfinder/userfiles/files/mogodesudas.pdfIn PDF document text
    • https://mattress-leader.com/media/dagazanizuvuzuvazelegowot.pdfIn PDF document text
    • https://unicorn.mn/js/ckfinder/userfiles/files/tekivapafimoxapivixo.pdfIn PDF document text
    • https://mamalight.net/business_school/uploads/file/83216231224.pdfIn PDF document text
    • http://www.kinoimaging.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16135ced3d750b---34603834830.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/DOqCt-cVA4I/uplcv?utm_term=system+data+flow+diagramPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d9de.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD9DE 17496 bytes
SHA-256: 93231071e92029b715137a85e524ee642d01242c3b7fbc854449676ad68ee9a6
font_01_sfnt_off000106ea.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x106EA 10868 bytes
SHA-256: 461b63169db7db42d7fc36693f4fd3d43ee8f1096ea3f69fcbc7fe259a11a322

Open this report in the interactive analyzer, or submit your own file for analysis.