Malicious PDF — malware analysis report

Static analysis result for SHA-256 dcdd80f584f2bdde…

MALICIOUS

PDF

95.3 KB Created: 2021-07-16 02:13:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-13
MD5: d0e46f98d9d9b5f16051c663f8ef94a2 SHA-1: 419f0af90e4ef04d4468ad6e2168ddf4233f53fb SHA-256: dcdd80f584f2bdde3fef253d4ade6f24ffce220b9f08f3e255aa47e1dcc66f30
204 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document was flagged by ML classifiers and ClamAV as malicious, indicating a phishing or trojan delivery attempt. The presence of a 'Password-protected archive handoff' heuristic suggests the document is designed to trick the user into believing they need to provide a password to access an archive, which likely contains a malicious payload. The numerous embedded URLs, many pointing to compromised CMS uploads or disposable hosting, further support a malicious intent to distribute further stages or phish credentials.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9840

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://planbmedia.hu/files/84842111596.pdf In PDF document text
    • https://stijsr.com/userfiles/file/fezemonibimigag.pdfIn PDF document text
    • http://www.pirac.org/wp-content/plugins/super-forms/uploads/php/files/7743b5640562f8c81075e8109cc2dce4/86180082199.pdfIn PDF document text
    • https://fiscalonline.eu/app/webroot/files/userfiles/files/wijuzemilipunigede.pdfIn PDF document text
    • http://aj-logistics.com/stock/userfiles/file/14292867884.pdfIn PDF document text
    • https://www.lamuccacompany.com/wp-content/plugins/super-forms/uploads/php/files/a48c6a78de9c06a2c61dcf00d36367a7/gosibisefejakebil.pdfIn PDF document text
    • https://hamzsabegi60szallo.hu/UserFiles/File/96691212588.pdfIn PDF document text
    • http://alkanboya.com/files/file///81574957833.pdfIn PDF document text
    • http://aklond.com/UploadFilesfile///2021060117582295.pdfIn PDF document text
    • http://beetsom.com/PROGRAM_FCKeditor_UserFiles/file/145812892460a1330c657fe.pdfIn PDF document text
    • http://klingende-zeder.de/wp-content/plugins/formcraft/file-upload/server/content/files/1608333a6ec611---67929841175.pdfIn PDF document text
    • http://cdmatik.com/uploads/file/33009927431.pdfIn PDF document text
    • http://www.nbrownies.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16091a16274466---63731681413.pdfIn PDF document text
    • http://zhouzhuank.com/v15/Upload/file/2021742052116360.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608b69281782c---23213803961.pdfIn PDF document text
    • http://adria-ex.com/images/blog//file/gakuxusa.pdfIn PDF document text
    • http://partnerplus30.ru/images/fornews/files/zizidukuzidug.pdfIn PDF document text
    • https://www.ikedatosou.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608de395e95b2---3757508146.pdfIn PDF document text
    • https://minutesnap.com/wp-content/plugins/super-forms/uploads/php/files/f554579183f39a6e2fbcf02ce0845531/kewirinexupofosu.pdfIn PDF document text
    • https://universitecentrale.net/uploads/FCK_files/file/xilanirolazagedojufemeko.pdfIn PDF document text
    • http://hilltop1976.com/clients/24685/File/jawufama.pdfIn PDF document text
    • https://chezgregoire.fr/userfiles/xuxovogumeg.pdfIn PDF document text
    • https://www.higher-energy-trampolineclub.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c0f687a5f44---paritaxupogimatuzo.pdfIn PDF document text
    • https://www.americanapi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d9e90625958---66443497225.pdfIn PDF document text
    • http://www.gcsystem.pl/wp-content/plugins/formcraft/file-upload/server/content/files/16077defd9bf38---39837356832.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/GLLx1DTH0VQ/uplcv?utm_term=how+to+get+excel+file+out+of+compatibility+modePDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea0f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEA0F 16592 bytes
SHA-256: 9f6c817200c992f9989e69c03a18a4761e1ae7a6dcc5c598391f80802af73df8
font_01_sfnt_off0001018d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1018D 17680 bytes
SHA-256: 20de20a2180dac50eb3d5f80b266d4dcc4e7b28d31e29f1dc257e9c84d754619
font_02_sfnt_off00013017.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13017 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_03_sfnt_off0001482e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1482E 11124 bytes
SHA-256: 5c61539b751e9f1e97f25abfc60a75f3e92176887f2509af055904657c8a6085
font_04_sfnt_off000161c6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x161C6 3156 bytes
SHA-256: 1d0061b7098d191ceb96ac61dcd3a9f38c38fb3596aa3b92e9e1b10fac9fcf42

Open this report in the interactive analyzer, or submit your own file for analysis.