Malicious PDF — malware analysis report

Static analysis result for SHA-256 d7378958cc92e9c5…

MALICIOUS

PDF

92.1 KB Created: 2021-06-27 03:18:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 04253e6b557fe3fb998570386d0fe30c SHA-1: eef1883965a229287bcabfac19a2e44a51c709ff SHA-256: d7378958cc92e9c5b861b35ef845f423dcae38b23bb71e2da912d544f2699c54
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous external URIs and link farms pointing to compromised WordPress sites, indicating a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly suggest malicious intent. Although no scripts were extracted, the structure and URL patterns are consistent with a malicious PDF designed to redirect users to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9924

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://irlanc.ru/uplcv?utm_term=dew+claw+injury+in+dogs
    • https://whiteelephant.co.in/wp-content/plugins/super-forms/uploads/php/files/6489c4312c3443a55cdbc5274c7ebbd8/zozegilusi.pdf
    • http://assushop.com/userfiles/assushop.com/file/numogutexewewuwedurat.pdf
    • https://microfocus-realize2020mea.com/wp-content/plugins/super-forms/uploads/php/files/aaec2e02450a241a562b3dd53cd4aedf/56350824077.pdf
    • http://www.mywil.ch/wp-content/plugins/formcraft/file-upload/server/content/files/160c98933bd015---fikumidelise.pdf
    • https://mabuksusu.com/contents//files/34852222251.pdf
    • http://erfolgsapp.de/wp-content/plugins/formcraft/file-upload/server/content/files/160a8a5d991981---69028293981.pdf
    • http://irmascaritasdejesus.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/16083411cb398b---kebekikuvoxibogirigop.pdf
    • https://member-amz-seller-system.de/wp-content/plugins/super-forms/uploads/php/files/a1c321f990ad711cd982756bc7154a5c/20576195721.pdf
    • https://advik.net/userfiles/file/wizasuzubup.pdf
    • http://lichnyiybrand.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1609dc8fdd86e3---nefuzujobamotadamisuvo.pdf
    • https://winston-woodward.com/wp-content/plugins/super-forms/uploads/php/files/e5b472160a11840e5ef604c9e1c2f1c7/posezanunodovipaf.pdf
    • http://www.unidacardoso.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16079ef3e32836---dibinawimasaju.pdf
    • http://www.sempresaude.net/wp-content/plugins/formcraft/file-upload/server/content/files/160852bb561834---pafimomegunarinidosiruwo.pdf
    • https://drainscovers.com/wp-content/plugins/super-forms/uploads/php/files/8468badca60662a4b530c6f3a3b1fe80/pizowebawurevafazibasebos.pdf
    • http://paintingservicesonline.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160788bb533d9b---fetofezepoz.pdf
    • http://marcobernini.it/userfiles/files/pisetebej.pdf
    • http://a-kamen.com/userfiles/file/72519285371.pdf
    • http://cn-junsheng.com/upload/file///20216715813905.pdf
    • https://www.oasipizza.it/wp-content/plugins/formcraft/file-upload/server/content/files/16089c2bea4349---nupoxosegen.pdf
    • http://szentistvanpatika.hu/upload/file/70454343296.pdf
    • https://alrashed-alsaleh.com/userfiles/files/22034026662.pdf
    • https://www.straightmyteeth.com/wp-content/plugins/super-forms/uploads/php/files/009889bea89c118276599d9f2c775083/95476395904.pdf
    • https://alice-immo.com/userfiles/file/nufimi.pdf
    • http://bestforfishing.com/wp-content/plugins/super-forms/uploads/php/files/18d99781b8bb4d0366860af4817a8fe2/kajimubesuzikagu.pdf
    • https://master.plus/wp-content/plugins/super-forms/uploads/php/files/6e78d6ba104fe2d6cb7ae6d276c2a0ae/92372063313.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f133.bin
00b1f632e8afe72716c8bcdb76b7901b56c060d1dc0f96f3f5c1b8373b85735b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF133 16140 bytes
font_01_sfnt_off000106b0.bin
c4e39fa23b524c1ba249da71397a9c18fa3e6e4655c641a8ed06bf67fc1782c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x106B0 10880 bytes
font_02_sfnt_off00011fbb.bin
92059e3844760788b8afe808490477bb84f653887bc1812a4033a2462ad19e25		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11FBB 16436 bytes
font_03_sfnt_off00014a59.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14A59 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.