Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc7b6bfa2d28b99c…

MALICIOUS

PDF

107.1 KB Created: 2021-07-06 19:55:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: d5bdbf8c21bd5344e611803122c6bf1e SHA-1: 9801763e5176f45ac52d66c23340816303a31eff SHA-256: dc7b6bfa2d28b99c68bb2ca3dfbe2b7c5a7d6e5a24f4419dc77ec533d9a4e968
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous links to external websites, many of which are hosted on compromised WordPress installations or disposable domains, indicating a link farm designed to redirect users. The ML classifier and ClamAV detection strongly suggest malicious intent, likely related to phishing or malware distribution. Although no scripts were explicitly extracted, the PDF structure and URI heuristics point towards the exploitation of embedded JavaScript or other active content to facilitate these redirects.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9756

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://hum-lucknow.org/test/fckeditor/file/serozamot.pdf
    • http://tahi.hu/ckfinder/userfiles/files/revile.pdf
    • https://hashtag.school/userfiles/file/85029677053.pdf
    • http://indiebookoftheday.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608f44ac593c1---fetodarujumep.pdf
    • https://angkoronetour.com/userfiles/file/59325127509.pdf
    • http://dollreunion2020.com/clients/4/43/4392dc7a9e9236654a628da0af121bbb/File/53178199778.pdf
    • http://104.156.58.56/~web2inbox/wp-content/plugins/formcraft/file-upload/server/content/files/160b8557f824bc---12647984598.pdf
    • https://llsindia.in/FCKeditor/file/68603142667.pdf
    • http://granite1962.com/clients/869125/File/4711587607.pdf
    • http://skuplaptop.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160c517ed238e9---vafofikutupu.pdf
    • https://vetranhtuongmamnon.vn/wp-content/plugins/super-forms/uploads/php/files/i2ukbcikh65h825q6ljvbbunl6/kipijizobufipojo.pdf
    • https://sce.tw/uploads/files/60b4cbc4cd018.pdf
    • http://madveras.com/ckfinder/userfiles/files/83240079435.pdf
    • http://nfc.soo.jp/file/dujoxidiwozusuj.pdf
    • http://bellsazshihtzu.com/clients/878694/File/bilevemelazo.pdf
    • http://modelkyujin.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a331e170302---85693030930.pdf
    • https://christembassybarking.org/wp-content/plugins/super-forms/uploads/php/files/4dc13fbbd1c8f15656ff5e0a9f40a94d/39356973273.pdf
    • http://www.consorcio.edu.pe/wp-content/plugins/formcraft/file-upload/server/content/files/160c321c6d4cda---xalinoferibulopadabe.pdf
    • http://tcurryproperties.com/konadnew/userfiles/file/kejesefeloga.pdf
    • http://vitali-schulz-eiskunstlaufen.de/userfiles/files/9508288935.pdf
    • http://redwoodpwr.com/wp-content/plugins/super-forms/uploads/php/files/1u9lip6qgarnleqfmp1mogob47/85837103299.pdf
    • https://advancedcheckcashadvance.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609a48dee7391---2132485250.pdf
    • http://studiotecnicoarduini.eu/userfiles/files/99352809351.pdf
    • http://kwik-it.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1607668ff9a3ba---rumogokujunax.pdf
    • http://mileschapelcme.org/clients/9/9b/9b85db73e8c1d5ae3bc18b6db4f26039/File/45365973002.pdf
    • https://feedproxy.google.com/~r/skout/mBVl/~3/cv9VXjIrmdE/uplcv?utm_term=english+first+names+male
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010dfc.bin
482eb8341e57bcf9dc35f3d0e59809d7538026c0abb36e5315f0b8def702c2f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10DFC 10524 bytes
font_01_sfnt_off000125a4.bin
30c9cb3b69b46c45d84c6a2c02fc908904ec7c4f7902a1d8c157147b32dde396		 pdf-font-stream PDF embedded font (sfnt) at offset 0x125A4 3648 bytes
font_02_sfnt_off000133cb.bin
914cc7b03cf60b5ea5a1fc18de1b43b262d5aeb94e9246409ee6c3acad9cb829		 pdf-font-stream PDF embedded font (sfnt) at offset 0x133CB 16860 bytes
font_03_sfnt_off00014c2c.bin
3b8092c6b1dedccf4ff2942c8d3c3ddafce9afad5cab2e710c4c3a2deacc6227		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14C2C 23804 bytes
font_04_sfnt_off000185a2.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x185A2 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.