Malicious PDF — malware analysis report

Static analysis result for SHA-256 d94f788f4d9c0f30…

MALICIOUS

PDF

83.2 KB Created: 2021-08-12 13:37:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: 25012a78c6de6df4ae20504aa3d9e5b4 SHA-1: 08e85054fd108f94e52e1d0e8218ebba80c65afa SHA-256: d94f788f4d9c0f30b6e727005737fdaa5b6c450621adb887eef560c9d2df68f8
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It functions as a link farm, presenting numerous URLs, many of which point to compromised WordPress upload directories or disposable hosting. The presence of 'utm_term' parameters suggests an attempt to track user engagement, common in phishing campaigns. While no scripts were explicitly extracted, the PDF structure and URL patterns are indicative of a malicious document designed to lure users to external, potentially harmful, sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crysiq.ru/uplcv?utm_term=aleko+gate+opener+programming PDF link annotation
    • http://buergerforum-tirol.at/file/tovipabirifujebekekobevo.pdfIn PDF document text
    • http://abovomedia.hu/_user/file/dovefasog.pdfIn PDF document text
    • http://asirakademi.com/resimler/files/94195771425.pdfIn PDF document text
    • http://steclotildehorton.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160a586f7832d5---90307977316.pdfIn PDF document text
    • https://nuttydog.hu/ckfinder/userfiles/files/gamalajikaxekovofo.pdfIn PDF document text
    • http://philippinesroadshow.com/wp-content/plugins/super-forms/uploads/php/files/63fdf084ed2191a7e8f2e8c40cfaf7f5/mebozowubufamomi.pdfIn PDF document text
    • http://davidlbrooks.com/clients/868292/File/nitulakinoziwesufokusato.pdfIn PDF document text
    • http://nuocmambason.com/upload/fckimagesfile/0535b433b6ce2ec0d52be3d5029c546a.pdfIn PDF document text
    • https://amesmedicalservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/16071e6d837ead---62556795244.pdfIn PDF document text
    • http://crystalnymph.by/wp-content/plugins/super-forms/uploads/php/files/d06dc11a40a43c76d08260c7e9d8ca8a/86063861076.pdfIn PDF document text
    • http://radioevangilereal.com/assets/ckfinder/core/connector/php/uploads/files/pibipadupesinozatibutuv.pdfIn PDF document text
    • https://tirthmobile.com/wp-content/plugins/super-forms/uploads/php/files/7ajse6v4ua0bv4hul8jrn1du01/75057715564.pdfIn PDF document text
    • https://hamasataccessories.com/userfiles/files/beludeme.pdfIn PDF document text
    • http://aviatechinform.ru/sadm_files/viluxedodi.pdfIn PDF document text
    • https://ateneoarbonaida.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c120211e30f---memetoripimen.pdfIn PDF document text
    • http://www.bewegeninarnhem.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1610bb080a0225---soredosagatakikatatiga.pdfIn PDF document text
    • https://patriot.ch/wp-content/plugins/super-forms/uploads/php/files/61v2hujbrljvrkcch8ocgq9ih3/15536320437.pdfIn PDF document text
    • https://akdenizokullari.k12.tr/wp-content/plugins/super-forms/uploads/php/files/7ptr9q0o52qm40pcmoubmv6s8c/xibune.pdfIn PDF document text
    • http://dolphinegypt.net/userfiles/file/38936239493.pdfIn PDF document text
    • http://alternativefitness.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1607f19edecb6d---92918060883.pdfIn PDF document text
    • http://www.kidnuri.com/wp-content/plugins/formcraft/file-upload/server/content/files/160f166e5f118e---fuvoxejuvozo.pdfIn PDF document text
    • http://ingfrimale.com/userfiles/files/29388887339.pdfIn PDF document text
    • https://www.popcaffe.it/wp-content/plugins/super-forms/uploads/php/files/4508b27b20f6dd946cb9411182dc4cbd/regefexu.pdfIn PDF document text
    • http://michelschuurmans.nl/images/uploads/file/17555616061.pdfIn PDF document text
    • https://congthuonghotel.vn/app/webroot/files/images/pages/files/wirisetigoxubafuson.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e1ad.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE1AD 17192 bytes
SHA-256: 90d0ca34de0df0457213acd39ea809d0fb76c1bcd0a85b2e48e3095aa2153c62
font_01_sfnt_off00010e86.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10E86 10500 bytes
SHA-256: 3c988d4753b8b1e4845fcb83003f5054a533e85da7128499e9114a3ab3db7780
font_02_sfnt_off00012664.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12664 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1