Malicious PDF — malware analysis report

Static analysis result for SHA-256 d817709957817f3d…

MALICIOUS

PDF

92.7 KB Created: 2021-07-04 07:36:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-23
MD5: d42c8dbea9ba46d99c2c1a3ef4ea1e8a SHA-1: 915baa7e1eecfe2806ebae6b37b695059d09ed18 SHA-256: d817709957817f3dd08ab31d6923eba3947adee62eac8a8225a482afa71869ec
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is a PDF file containing embedded JavaScript, which is a common technique for delivering malicious content. It includes numerous links pointing to compromised WordPress sites and disposable hosting, suggesting a phishing or malware distribution campaign. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to directing users to malicious URLs for further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9935

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/uplcv?utm_term=bfr+before+and+after PDF link annotation
    • http://pansophers.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a4c3db80c5b---pedupetiwozimanaxizal.pdfIn PDF document text
    • https://growmytruck.com/wp-content/plugins/super-forms/uploads/php/files/b3a139e24af5ce2dea50dbb372688c33/dipiruverovibidilegof.pdfIn PDF document text
    • http://augustaelectricalwork.com/editorData/file/xinagerujolade.pdfIn PDF document text
    • http://agcslohian.com/userfiles/file/13446740003.pdfIn PDF document text
    • https://agsposure.org/wp-content/plugins/super-forms/uploads/php/files/f6f9432a036492659e3fe21fddfcaf40/2562842028.pdfIn PDF document text
    • http://www.musicmaestrodiscos.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160ad864c705da---puxizunakulepafebisu.pdfIn PDF document text
    • http://sk-massimo.com/js/upload/files/40533858717.pdfIn PDF document text
    • http://guides2alpes.fr/uploads/file/49215894038.pdfIn PDF document text
    • http://www.zulfugar.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160753c0c0e1c1---julizexevivekubamajukama.pdfIn PDF document text
    • https://spencershaulageltd.co.uk/wp-content/plugins/super-forms/uploads/php/files/6ee3a52bdb05d16a3953ad39017c363c/71834618998.pdfIn PDF document text
    • http://79.170.40.182/boothtastic.com/wp-content/plugins/formcraft/file-upload/server/content/files/16084ce947c61c---23857411012.pdfPDF link annotation
    • https://encouragingmath.com/wp-content/plugins/super-forms/uploads/php/files/7aa939a3414ccd38cb5a9d71fda19d0f/mipumadimonatugodasasufe.pdfIn PDF document text
    • https://humanistbeauty.com/wp-content/plugins/super-forms/uploads/php/files/lb3n8s12asjlgs5kre6lc1370l/zefikikoxikukakewudog.pdfIn PDF document text
    • http://mgmkt.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1608ee7f3bdb9c---69893051258.pdfIn PDF document text
    • https://earthideasawnings.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608f29828af8c---13130657977.pdfIn PDF document text
    • https://daleplumbinginc.com/wp-content/plugins/super-forms/uploads/php/files/72eeca8c84a979d8f58b6408e1678576/71760975435.pdfIn PDF document text
    • http://www.icodar.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c54868decda---nomuwaru.pdfIn PDF document text
    • https://www.caesarstravel.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609bc9d4bfe5b---63752835203.pdfIn PDF document text
    • https://oddluzanie.net/userfiles/file/jiwetuzutotiwaputuwaki.pdfIn PDF document text
    • http://iburgisidimarsala.eu/userfiles/files/41904251853.pdfIn PDF document text
    • https://shrmivirtual.org/wp-content/plugins/super-forms/uploads/php/files/b69bf8db6fed356a5511b0903d8a0c9e/nefenuguperaxel.pdfIn PDF document text
    • https://naoshima-habitant.com/96577480503.pdfIn PDF document text
    • http://frezerovka.by/images/fxeditor/file/judomaru.pdfIn PDF document text
    • http://thedreams.cz/files/17554921095.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010927.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10927 10236 bytes
SHA-256: cfc537e8c5b199a48801f16cade35bb73c60a417cbac09783dbb161c9710381f
font_01_sfnt_off0001203e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1203E 17324 bytes
SHA-256: b7225513c51c92753af668c8381d840f3ca08bb1e4197164f40923def1ef5920
font_02_sfnt_off00014dab.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14DAB 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.