Malicious PDF — malware analysis report

Static analysis result for SHA-256 db653dc2db830055…

MALICIOUS

PDF

101.1 KB Created: 2021-06-14 15:48:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ce74feb100a69c30b57d69399d3a53f9 SHA-1: 3e25bddca1b74370e499ef29c89ce870d8846fc7 SHA-256: db653dc2db8300558a35a5c977ab7ae233a531286ec1d8eef90c9a638914d417
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics and a machine learning classifier as malicious, with ClamAV identifying it as Pdf.Phishing.Trojan. The document contains numerous links to compromised WordPress upload storage and disposable hosting sites, suggesting a phishing or malware distribution campaign. The presence of embedded URLs and the nature of the heuristics indicate the file is designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://allytemp.ru/uplcv?utm_term=command+r+on+a+mac
    • http://netpost.vn/upload/userfiles/files/3822827587.pdf
    • http://dangkyidol.com/wp-content/plugins/super-forms/uploads/php/files/qp0clfbecus8l5rk9nc5jiehv8/65279634382.pdf
    • http://www.caribbeandentist.com/wp-content/plugins/formcraft/file-upload/server/content/files/16076b36b4d7a0---17483053326.pdf
    • https://www.allterra.group/wp-content/plugins/super-forms/uploads/php/files/86e9836dcb2a02b35243f69a901b04e6/xijuf.pdf
    • http://skipjackpoke.com/ckfinder/userfiles/files/45768698705.pdf
    • http://akcjonariusz.com/UserFiles/file/74379265939.pdf
    • http://rusiuojigalvoji.lt/wp-content/plugins/formcraft/file-upload/server/content/files/160a0bdb68f1d1---pigutet.pdf
    • http://banglatalkies.com/dynamic-images/cms/file/57422361136.pdf
    • http://cargo3030.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1607f6fc378547---babelekeperixa.pdf
    • https://sellerflows.com/wp-content/plugins/super-forms/uploads/php/files/4d922f65517398bad42b59b8682b8931/36682593585.pdf
    • https://pluviaterra.mx/wp-content/plugins/super-forms/uploads/php/files/fe43784e0cb2d08e6e7da40472e3c085/kebufejatixili.pdf
    • https://readxyz.org/wp-content/plugins/super-forms/uploads/php/files/bb18e4a955f44ea54be80322061ba4e5/6059201489.pdf
    • https://dock-levellers.com/upload/files/74610210676.pdf
    • http://www.medical-psychology.gr/wp-content/plugins/formcraft/file-upload/server/content/files/160bd8c8a0c58c---dodux.pdf
    • http://rethabise.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/16091b70e0855d---74030184619.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00014f1b.bin
52dbc61a576befbdd3fe1657d32d1bb794a8ea92003ff6cbdab257899c6ed5ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14F1B 4780 bytes
font_01_sfnt_off00015f3b.bin
d0e7aee2aaa8d4e557594ec7619493ad24905e7f34fe8fe182185ad0a1766ea5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15F3B 11936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.