Malicious PDF — malware analysis report

Static analysis result for SHA-256 d8e71d3c7efa207a…

MALICIOUS

PDF

83.2 KB Created: 2021-09-02 15:21:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: d27e56a3709fd824c2453103adef7d3d SHA-1: c4d8e6326c905f19d2d8e705000bb4c0449f792f SHA-256: d8e71d3c7efa207a640410b7a4d06832383efc0e8a3f6a3a832a099b0b24f6d7
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample contains embedded JavaScript, which is often used to redirect users to malicious sites. Multiple heuristics indicate the PDF acts as a link farm, pointing to compromised CMS uploads and disposable hosting, suggesting an attempt to distribute malware or conduct phishing. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9860

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cbcom.eu/ressource/site-image/files/senabonesamumelil.pdf In PDF document text
    • https://bringem.de/wp-content/plugins/super-forms/uploads/php/files/612398c5a318ea3b663c2cf473d86b1a/nulifuxutomozuduliko.pdfIn PDF document text
    • http://all-vehicle.net/js/upload/files/boniwenudakuvekot.pdfIn PDF document text
    • https://abofahed.com/userfiles/file/kagivusaxo.pdfIn PDF document text
    • http://www.kocay.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/161194f681d8c4---97632184261.pdfIn PDF document text
    • http://ecogestval.com/userfiles/file/64678785612.pdfIn PDF document text
    • https://tkpmission.org/wp-content/plugins/formcraft/file-upload/server/content/files/160b810f197d74---22061505399.pdfIn PDF document text
    • https://www.projectorrentals.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609ec65e52a40---xesepuzamoxitewosuwab.pdfIn PDF document text
    • https://yingzhaoliuart.com/upload/file/38233291947.pdfIn PDF document text
    • http://h-st.nl/bestanden/files/dirodilujoxep.pdfIn PDF document text
    • http://hiroi-es.info/yamituki-n/uploads/files/milutaw.pdfIn PDF document text
    • http://allseasonsart.com/uploads/fck_uploads/file/51178495675.pdfIn PDF document text
    • http://goref.ru/files/file/tukutimovaredojerikibu.pdfIn PDF document text
    • http://ipvoicenj.com/wp-content/plugins/formcraft/file-upload/server/content/files/1611f95ec3a506---98856329692.pdfIn PDF document text
    • https://learn-atdi.com/uploads/files/36960203351.pdfIn PDF document text
    • https://www.sir.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1607e135b571cd---bezolusafimuberut.pdfIn PDF document text
    • https://cananalimdar.com/wp-content/plugins/super-forms/uploads/php/files/2jk9v0tdpd5tp47dssh93kj8e9/vojuke.pdfIn PDF document text
    • https://useoneconvo.com/wp-content/plugins/super-forms/uploads/php/files/06d47e744b09436d6ee782a158c5411a/sopulurov.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/16123a947d7b61---13066187055.pdfIn PDF document text
    • http://lalitas-thaimassage-spa.de/wp-content/plugins/formcraft/file-upload/server/content/files/160b81e95106fd---25625374068.pdfIn PDF document text
    • http://kowel.com/ckfinder/userfiles/files/1622433363.pdfIn PDF document text
    • https://www.mercedesbenzofaustinservice.com/wp-content/plugins/formcraft/file-upload/server/content/files/160812b880c75c---verojufobetu.pdfIn PDF document text
    • http://rusiuojigalvoji.lt/wp-content/plugins/formcraft/file-upload/server/content/files/160dbe180a8d23---vorosotemelejixazezufidem.pdfIn PDF document text
    • http://www.auditsi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bbe5fdef881---25670551327.pdfIn PDF document text
    • http://hellnocancershow.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607eb4e612884---45442394238.pdfIn PDF document text
    • http://africansafaris-spain.com/FCKeditor/editor/filemanager/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=%2Ffile/masad.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/LPIa9PGmDLg/uplcv?utm_term=stephen+king+in+the+tall+grass+pdfPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e034.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE034 17896 bytes
SHA-256: a1dbdba1c3f4f82ffc8f59fb98fc962d499ac6e6b0e0963b3243672078d27b8d
font_01_sfnt_off00010eb7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10EB7 10824 bytes
SHA-256: 60992b44470f58fa2bb20975f8b263eb4a38b6d4724bdfe207456640fdb7947d
font_02_sfnt_off00012766.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12766 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1