Malicious PDF — malware analysis report

Static analysis result for SHA-256 da740099d691d2e1…

MALICIOUS

PDF

95.0 KB Created: 2021-07-04 01:33:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-14
MD5: cf3190808f26c9c29712148eb5d5fb47 SHA-1: cab61f15c321aafa6416e63297f86d51f7a054ca SHA-256: da740099d691d2e1b5221c7f2b13c5a05c263456a215a44692dd9142cab3da9b
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous embedded URLs, many pointing to compromised CMS upload directories, suggesting it's part of a link farm designed to redirect users to malicious content. The presence of these links and the overall structure align with phishing or scamming tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9769

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pistant.ru/uplcv?utm_term=web+video+cast+browser+to+tv PDF link annotation
    • https://macleanpinesdrivingschool.com.au/wp-content/plugins/super-forms/uploads/php/files/9b4fa12bab71244f5c63bd27deed4deb/49418642353.pdfIn PDF document text
    • http://www.consorcio.edu.pe/wp-content/plugins/formcraft/file-upload/server/content/files/16076202909890---95518479702.pdfIn PDF document text
    • https://shrmivirtual.org/wp-content/plugins/super-forms/uploads/php/files/b239187960550017eddfb10523969e34/boratijadazitanesoluwa.pdfIn PDF document text
    • https://purpleleafestatebuyers.com/wp-content/plugins/formcraft/file-upload/server/content/files/160965bb133ad8---busurowuripura.pdfIn PDF document text
    • https://maribon.net/app/webroot/files/userfiles/files/vajidesamopejoxabapo.pdfIn PDF document text
    • http://gagutp.com/sa_upload/userfiles/file/20210618205740.pdfIn PDF document text
    • http://cmrivestimenti.com/userfiles/files/waxetufa.pdfIn PDF document text
    • https://tckontrola.hr/files/5869487917.pdfIn PDF document text
    • https://www.onestopnaturalstore.ca/wp-content/plugins/super-forms/uploads/php/files/ouen7cmsiuasep7laorh18gg09/pebigefow.pdfIn PDF document text
    • http://cohensevents.com/clients/74638/File/wizevam.pdfIn PDF document text
    • https://journeypeople.cc/wp-content/plugins/super-forms/uploads/php/files/65628c13ea57673561832889421fce23/fometop.pdfIn PDF document text
    • http://xn--80akij1ajew.xn--p1ai/wp-content/plugins/formcraft/file-upload/server/content/files/16098305116685---wowagivex.pdfIn PDF document text
    • https://cochleartudaskozpont.hu/files/mogorilizefobegavaxazuni.pdfIn PDF document text
    • https://sakitonus.ru/wp-content/plugins/super-forms/uploads/php/files/a69deb6d7717e90122fb11cdabdfdff6/22166023507.pdfIn PDF document text
    • http://bomtvplus.com/data/board/file/20210525101621.pdfIn PDF document text
    • http://www.medical-psychology.gr/wp-content/plugins/formcraft/file-upload/server/content/files/16070163dbd788---doramulevasegaxose.pdfIn PDF document text
    • https://shinyjewellers.com/wp-content/plugins/super-forms/uploads/php/files/frh06ubicmu0ck8qiptss9r8uu/lobixuremovokotoruperopa.pdfIn PDF document text
    • http://cwesp.biz/upload/file/82148700430.pdfIn PDF document text
    • https://childconcern.in/trila/userfiles/file/suwifapuzo.pdfIn PDF document text
    • http://www.nandomoraes.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160b2448f6cae8---bodiguvowoxovewukuwinisos.pdfIn PDF document text
    • http://dzbnf.com/upload/file///loroxew.pdfIn PDF document text
    • https://jaiminsales.com/ckfinder/userfiles/files/33270436818.pdfIn PDF document text
    • https://profbuhotchet.ru/wp-content/plugins/super-forms/uploads/php/files/2c043325ac7361f8d43540df839bf5b8/85406292773.pdfIn PDF document text
    • http://www.alfainstal.pl/wp-content/plugins/formcraft/file-upload/server/content/files/16072a6dff3972---37133314670.pdfIn PDF document text
    • http://www.mywil.ch/wp-content/plugins/formcraft/file-upload/server/content/files/16071eeb2c0e20---81866793372.pdfIn PDF document text
    • https://tlpnw.com/wp-content/plugins/super-forms/uploads/php/files/59abcbbe97817e0591d0ff7144d358d9/sitazetegutonumabixiv.pdfIn PDF document text
    • http://www.inhd.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160a155c355d24---83747926278.pdfIn PDF document text
    • http://webvideocaster.appIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f6dd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF6DD 16144 bytes
SHA-256: fcca37035df06e555c2991ff65faa0e8497ca6423bee408ebc46b3aef925b516
font_01_sfnt_off00010c5d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10C5D 10496 bytes
SHA-256: ea0c0f241c1978a6e14555b1cbebe19396618ffcce2ae5b416b41cad6088b58a
font_02_sfnt_off00012474.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12474 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_03_sfnt_off00013c86.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13C86 17972 bytes
SHA-256: 48db2d9f6dabf4c40d5d168ecae4554070ee76c6c55e4e208271d9adfe6cd37b