Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc39d1282a23d638…

MALICIOUS

PDF

68.0 KB Created: 2021-06-03 02:29:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: fcbc8d0f54282c44c5b1c45792db2017 SHA-1: da06a1d9e3918edf71d1e12ea0a877f858f20708 SHA-256: dc39d1282a23d6382d63028b447f2c13d985778a8f94f0c34a01219e7b786b8b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains numerous embedded URLs, many pointing to compromised CMS uploads, suggesting a link farm designed to redirect users to malicious content. The document body is heavily obfuscated and appears to be generated content rather than user-readable text.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8570

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://english-island.pl/wp-content/plugins/super-forms/uploads/php/files/038rgd3g7msoo1t86g41hguti7/bikuneweluxunewilafoze.pdf In PDF document text
    • https://maydongy.com/wp-content/plugins/super-forms/uploads/php/files/vfja5u3ndv6m558eo0a1758agf/46356329546.pdfIn PDF document text
    • https://lynnesnaturaltreats.com.au/wp-content/plugins/super-forms/uploads/php/files/8da870d0269625cc6a3eb32f80e296fb/61892459940.pdfIn PDF document text
    • https://www.chinacimctrailer.com/wp-content/plugins/super-forms/uploads/php/files/2f0ada54a095cbd58c189aa3e2a462b6/55621816079.pdfIn PDF document text
    • https://weblative.com/wp-content/plugins/super-forms/uploads/php/files/siqg7husg93eckgvkd32ponc51/12926903986.pdfIn PDF document text
    • https://broadstripe.com/wp-content/plugins/super-forms/uploads/php/files/6aafaa7b8fdd15176099ad5645fa2ed8/10778098628.pdfIn PDF document text
    • https://www.wflorlando.com/wp-content/plugins/super-forms/uploads/php/files/f46dedd486fb19595c72fd5575344bec/sawewusojafaniziwo.pdfIn PDF document text
    • https://www.kunapak.com/wp-content/plugins/super-forms/uploads/php/files/u38f2ic2mgn88bhv8lrdfft6lr/69176322845.pdfIn PDF document text
    • http://cgt-fo-csc.fr/wp-content/plugins/formcraft/file-upload/server/content/files/16080ad0be3f53---14967562369.pdfIn PDF document text
    • https://efnnma.org/files/file/tezuxiwosaxozi.pdfIn PDF document text
    • https://www.hagensmarketing.com/wp-content/plugins/formcraft/file-upload/server/content/files/160792aa8c4b49---82904632860.pdfIn PDF document text
    • https://rockdental.co.uk/wp-content/plugins/super-forms/uploads/php/files/de0997d30db6ec20a201b6acbbb260d3/28615595317.pdfIn PDF document text
    • https://frasertechno.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608b66dd36ea8---54296305142.pdfIn PDF document text
    • http://alexlunacoach.com/img/editor/file/16719889036.pdfIn PDF document text
    • https://retentionstudentexperience.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a5f7fb11457---34412735451.pdfIn PDF document text
    • https://archltginc.com/wp-content/plugins/super-forms/uploads/php/files/27395a207b5e3bf8459e9ff538cb2292/josibobimepizawuboxoj.pdfIn PDF document text
    • http://africanhairbraidingsalon.com/userfiles/file/gabajunujekewopibavin.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1KS0DP0cxss/uplcv?utm_term=what+genre+is+big+natePDF link annotation
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df8b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDF8B 5068 bytes
SHA-256: a8fc8c6dc17c719c10a1c854ff13946c5533c9d7d525e14d7e7a42c083d998b4
font_01_sfnt_off0000f0d2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF0D2 10704 bytes
SHA-256: ac003f6a6c6a43b21279e8d80e2f284368c8cc3cbe5b93a96d2b9af894fa0f68