Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc231b2533ddc0d9…

MALICIOUS

PDF

150.2 KB Created: 2021-09-18 16:24:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26
MD5: e3c78c76e5e354bdae620e8802ab2f75 SHA-1: 752743b79ebeea032f54a3abe9fb26d4c9a7edfa SHA-256: dc231b2533ddc0d926e08012a5e33cd293fb35d8c7c1f6ada570d3dcf69cb888
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript and a link farm pointing to compromised WordPress upload storage and other disposable hosting. The ML classifier and ClamAV detection strongly indicate malicious intent, likely to deliver a second-stage payload or conduct phishing. The embedded JavaScript is likely responsible for initiating the download or redirection to the malicious URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8865

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://handientu.vn/userfiles/file/11570057146.pdf In PDF document text
    • http://vanxuantravel.com/upload/files/gisiwokagajitorimelux.pdfIn PDF document text
    • https://snpwachq.com/files/js/ckfinder/userfiles/files/timotasolizejipav.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/1612f7b5b92380---59763317803.pdfIn PDF document text
    • http://nuitsdartistes.eu/images/file/tunopolomipus.pdfIn PDF document text
    • http://mebelhotel.ru/images/news/file/91666565368.pdfIn PDF document text
    • http://sosonomo.com/ckfinder/userfiles/files/79168239278.pdfIn PDF document text
    • https://414movement.com/wp-content/plugins/super-forms/uploads/php/files/af2fbd7697e30a54003f41a4353ae32c/daxanavenepefibiwig.pdfIn PDF document text
    • https://aprilboya.com/userfiles/file/legidoraxokinuv.pdfIn PDF document text
    • https://lyonsinn.com/nbloom/fckuploads/file/jojumapojaret.pdfIn PDF document text
    • http://swaving-stalinrichting.nl/ckfinder/userfiles/files/49384195324.pdfIn PDF document text
    • http://cheapmarkt.com/userfiles/file/vaxemewixuzomusapari.pdfIn PDF document text
    • http://greece-ex.com/images/blog/file/93537387406.pdfIn PDF document text
    • https://bahia-group.com/ckfinder/userfiles/files/bofaxiwivarusen.pdfIn PDF document text
    • http://jikaramen.com/uploads/files/wopozifekotesowerune.pdfIn PDF document text
    • http://ristorantebiscione.com/userfiles/files/56822878926.pdfIn PDF document text
    • https://misbahelmudii.org/ckfinder/userfiles/files/84347476981.pdfIn PDF document text
    • http://www.performhabitat.fr/bundles/astadmin/js/ckfinder/userfiles/files/30346066354.pdfIn PDF document text
    • https://receptabc.hu/images_banner/files/bokikatelufa.pdfIn PDF document text
    • http://ipsaix.com/ckeditor/ckfinder/userfiles/files/96877204178.pdfIn PDF document text
    • https://jakspravnenapsa.cz/userfiles/file/36311689591.pdfIn PDF document text
    • http://actlogistic.vn/upload/editor/files/xelovaboximexaboradupug.pdfIn PDF document text
    • http://dorinhawear.com/admin/fckeditor/editor/filemanager/connectors/php/fckeditor/editor/filemanager/connectors/php/userfiles/file/fawelolunipex.pdfIn PDF document text
    • http://orthocarecentroortopedico.it/userfiles/files/52446024549.pdfIn PDF document text
    • http://adanateknikservis.web.tr/wp-content/plugins/formcraft/file-upload/server/content/files/16142e1f9c44ae---xitizan.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1xuhb7AK25c/uplcv?utm_term=combat+maneuver+bonus+pathfinderPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002107e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2107E 19872 bytes
SHA-256: 3dacb0a5ed36a17cb73ae7fedb3b1b24ebcac5a732623929f279d6051b4b5e8d
font_01_sfnt_off000243cb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x243CB 11052 bytes
SHA-256: b6bfd17aaa22c47eff005a3331f5255aaaa087c475f6d3d743068f525b1ddba2

Open this report in the interactive analyzer, or submit your own file for analysis.