Malicious PDF — malware analysis report

Static analysis result for SHA-256 dac907dd8003f4c7…

MALICIOUS

PDF

432.1 KB Created: 2021-06-17 19:24:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 143a8a0d9ec2735b107d211a34eab320 SHA-1: f942623b2e5cbf14552b4b2f1c802b7fa95e15fe SHA-256: dac907dd8003f4c725d7bd40ab75dd99a890069c529df50d4d9b3ff70797f4f1
246 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains numerous embedded URLs that point to compromised websites and link farms, indicating a phishing or malware distribution attempt. The ClamAV detection of 'Pdf.Phishing.Trojan' further supports its malicious nature. The file's structure and embedded content suggest it is designed to lure users to external malicious resources, likely as part of a broader phishing campaign.

Machine Learning

  • Nyx PDF Classifier clean score 0.0164

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://infrive.ru/uplcv?utm_term=the+reality+high PDF link annotation
    • https://aduanaldelvalle.com/userfiles/file/gaxakelumogajopase.pdfIn PDF document text
    • https://agatanorek.com/files/file/83198131486.pdfIn PDF document text
    • http://makaifruits.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607eb3e4c08dd---83888324049.pdfIn PDF document text
    • https://stef-nancy.fr/upload/document/legak.pdfIn PDF document text
    • https://www.accidentinjuryalbuquerque.com/wp-content/plugins/super-forms/uploads/php/files/6gq0c606o78kkikungd629veg3/silazofuruvax.pdfIn PDF document text
    • https://www.simcoerecovery.net/wp-content/plugins/super-forms/uploads/php/files/ccboarnjoec0uaombnq0qt403d/wekisemesitanina.pdfIn PDF document text
    • https://asaptransfers.co.uk/wp-content/plugins/super-forms/uploads/php/files/lvrjscckk7rh7ma4bca6ls8nu3/76996702811.pdfIn PDF document text
    • http://kirks-pool.com/wp-content/plugins/formcraft/file-upload/server/content/files/160841eb16494c---peviboxaxolalonobamuvivu.pdfIn PDF document text
    • https://www.ayersworthglen.com/wp-content/plugins/formcraft/file-upload/server/content/files/160aa83aa00ee2---26286362915.pdfIn PDF document text
    • https://samiznojmo.cz/wp-content/plugins/super-forms/uploads/php/files/6faddf02f64aa8da000fcb5bf24f964e/newalelepi.pdfIn PDF document text
    • https://tkpmission.org/wp-content/plugins/formcraft/file-upload/server/content/files/160a83ba9e6547---farixoga.pdfIn PDF document text
    • http://sh8ke.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609ec821cce48---23019464983.pdfIn PDF document text
    • http://accessiblevehicleservices.com/userfiles/file/pozokisovonefok.pdfIn PDF document text
    • https://wacee.net/wp-content/plugins/formcraft/file-upload/server/content/files/160bc9cfa2d9ae---mirupavo.pdfIn PDF document text
    • https://amesmedicalservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b8ca06b17d2---tamolilovumud.pdfIn PDF document text
    • http://aaexpansionjoint.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609ed3dbbb3da---raxaju.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e14b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE14B 4820 bytes
SHA-256: eb19d4a020912fb1fe11f0c5099942add1dd5e644403ef75ed0ea6aa814d9328
font_01_sfnt_off0000f1b3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF1B3 10740 bytes
SHA-256: 47cb3fc430e93025e863fc0ed205b2b4b356706bdef29cd10ec9b97e20db382c
polyglot_child_pdf_off00011f92.pdf polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x11F92 368827 bytes
SHA-256: d1ec401bf3f1e1e3c41cca300b204db837a7f92cad862ac978fd36f4057a4042
Detection
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Obfuscation or payload: unlikely
polyglot_child_pdf_off00023f24.pdf polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x23F24 295209 bytes
SHA-256: aee3c909fd8a25ec59bcceee453bc44aaaac73ccc1bcf14e02f34dd62c37d759
Detection
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Obfuscation or payload: unlikely
polyglot_child_pdf_off00035eb6.pdf polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x35EB6 221591 bytes
SHA-256: 7620ebe3e7c3e9c4f80b1b727e79cd7554269fc10a65e780a5b7a1ee3c6c8e5a
Detection
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Obfuscation or payload: unlikely
polyglot_child_pdf_off00047e48.pdf polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x47E48 147973 bytes
SHA-256: c25ab39f290d5e7fc9fe1119f17940e19d966ba1b4c500ad103df7ccd46e573d
Detection
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.