Malicious PDF — malware analysis report

Static analysis result for SHA-256 da85278e6a5a94a0…

MALICIOUS

PDF

92.0 KB Created: 2021-08-21 03:13:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: e13db3beb3944bc6156d85860cd774f9 SHA-1: cdc15cd242eb7c80df70c7bd800bb2511d446ea0 SHA-256: da85278e6a5a94a0ba73171280a2896d618a97d30c2850a52e7530157ca2d9f4
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged by ClamAV as a phishing trojan and ML classifiers indicated a high probability of maliciousness. It contains an embedded JavaScript stream and a large number of external links, many pointing to compromised or disposable hosting, consistent with a link farm used for phishing or spam. The presence of JavaScript suggests it may be used to redirect users or execute further malicious actions.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://przychodnia-felinskiego.pl/uploads/editor/file/gobabiwijopadawozabinuma.pdf In PDF document text
    • http://to-kajihan.net/js/upload/files/birupebubukitafijifu.pdfIn PDF document text
    • http://modelkyujin.com/wp-content/plugins/formcraft/file-upload/server/content/files/160830e753c333---27635410098.pdfIn PDF document text
    • http://www.absolutecateringla.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b20e56ea6fb---zivomibupi.pdfIn PDF document text
    • https://nailseasupportgroup.com/wp-content/plugins/super-forms/uploads/php/files/9e5ee6d8c894851acb639b9e58b29556/rurukineki.pdfIn PDF document text
    • http://gfb.it/upload/fck/file/69267358691.pdfIn PDF document text
    • https://bwawarszawa.pl/upload/file/nisojimekomaw.pdfIn PDF document text
    • https://www.fecomerciomg.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/160b814fc8598d---56506770493.pdfIn PDF document text
    • http://9jamail.com/userfiles/file/70629264108.pdfIn PDF document text
    • https://siyata.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/160d83bb5b02bb---21880450043.pdfIn PDF document text
    • http://metabolit.ru/files/file/85809781745.pdfIn PDF document text
    • https://medprobr.com.br/wp-content/plugins/super-forms/uploads/php/files/d0c20a6a40d1e3a7e75def98b5f8cb5b/sokivefe.pdfIn PDF document text
    • https://amenagementsoleil.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609a59a45dd13---xozebazeromo.pdfIn PDF document text
    • https://chokysitohang.com/Uploads/userfiles/files/bewumetoletanafowusivi.pdfIn PDF document text
    • http://jtylek.pl/Upload/file/97390519201.pdfIn PDF document text
    • https://comesa.com.pe/wp-content/plugins/super-forms/uploads/php/files/rma96e7pkqapn5rbd5bsca1qt5/fizagexazakikogewuvejarat.pdfIn PDF document text
    • https://heatingboiler.ca/fck_upload/file/2438963641.pdfIn PDF document text
    • https://arhometutor.com/userfiles/file/tinumok.pdfIn PDF document text
    • https://www.esicm-old.org/admin/lib/ckfinder/userfiles/files/toribo.pdfIn PDF document text
    • https://cmflower-kkc.com/ckfinder/userfiles/files/4217565113.pdfIn PDF document text
    • https://spaslask.pl/wp-content/plugins/super-forms/uploads/php/files/sf3ogmr6rbboviiiim7p6350bi/75738485659.pdfIn PDF document text
    • https://ntct.dz/ckfinder/userfiles/files/49579776897.pdfIn PDF document text
    • https://proff-doors.ru/wp-content/plugins/super-forms/uploads/php/files/63498442f4e77c00d8433a49845cbfd6/37791203241.pdfIn PDF document text
    • http://ctm.it/userfiles/file/84683112562.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/BkSY9tpko7c/uplcv?utm_term=b%C3%A0i+t%E1%BA%ADp+x%C3%A1c+su%E1%BA%A5t+th%E1%BB%91ng+k%C3%AA+c%C3%B3+l%E1%BB%9Di+gi%E1%BA%A3i+fullPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e749.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE749 33432 bytes
SHA-256: 751396a2c217183915dd6934207aa18f3897cc30e9bc297f6a837e13fd24045e
font_01_sfnt_off00012acd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12ACD 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off000142e4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x142E4 12316 bytes
SHA-256: 0548f6ba25b49a9960aaf0d891dc406d1e53a4bf7a5ac31a3238900575685a65