Malicious PDF — malware analysis report

Static analysis result for SHA-256 dcedd69c0c33f16a…

MALICIOUS

PDF

210.3 KB Created: 2021-07-13 17:16:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-13
MD5: 0d02081ae463f21f19fdf60963f3a3d0 SHA-1: e42d115a694984bce2b5664b713596a231037247 SHA-256: dcedd69c0c33f16a3e55b80bcaff257a62c7bb6bf0b032f06ab3a53aa3f4336a
166 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link farm pointing to compromised WordPress upload storage, indicative of a phishing lure. The ML classifier and ClamAV detection strongly suggest malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URLs are consistent with a phishing campaign designed to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8156

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://belgradenightlife.info/wp-content/plugins/super-forms/uploads/php/files/r2vhkuf93gra46g5vsumgg4jed/tilefodijalafabo.pdf In PDF document text
    • https://alcc.vn/wp-content/plugins/super-forms/uploads/php/files/fuqhv2qg65hm2qg4qrd7h22tut/kewenoxopez.pdfIn PDF document text
    • https://criteriacambio.com.br/wp-content/plugins/super-forms/uploads/php/files/tkr3ioeaeoh2nhipcrsddmlt5d/93195537582.pdfIn PDF document text
    • http://pavcargo.ru/wp-content/plugins/super-forms/uploads/php/files/d76cd9f1a95953a25dd66b64e90ab031/jolezanibuvopedikifavefa.pdfIn PDF document text
    • http://www.canadavisaservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/16082d22920e2f---refaxubigowow.pdfIn PDF document text
    • http://msslink.ru/userfiles/files/76424849992.pdfIn PDF document text
    • http://www.sevenchurchestour.net/seven/wp-content/plugins/formcraft/file-upload/server/content/files/1606f3acd8b8eb---daxavogajetij.pdfIn PDF document text
    • http://wijnhuis-vaessen.nl/site/data/ws/files/187338496.pdfIn PDF document text
    • https://tnmkor.com/FileData/ckfinder/files/20210713_AA39A8A734FEA83C.pdfIn PDF document text
    • http://slp61.com/clients/e/e2/e296dcecfd7d10ffef0cc83fef253c72/File/nelotigujuve.pdfIn PDF document text
    • http://asustainable.com/global/file/696443735.pdfIn PDF document text
    • https://bamfieldrental.com/userfiles/file/duruvamamu.pdfIn PDF document text
    • http://christschoolblr.in/userfiles/file/75461400617.pdfIn PDF document text
    • https://wpsqld.com.au/wp-content/plugins/super-forms/uploads/php/files/d853da45923d79d85ec8491f8387e366/wexorov.pdfIn PDF document text
    • http://zhouzhuank.com/v15/Upload/file/20217131754492304.pdfIn PDF document text
    • http://accessprecision.com/userfiles/file/fugokufagiwixowasepa.pdfIn PDF document text
    • https://hasekei.jp/userfiles/file/86314327974.pdfIn PDF document text
    • https://amenajarisiconstructii.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1607885d5da3a5---lameketaz.pdfIn PDF document text
    • https://yourtuscanyguide.com/wp-content/plugins/super-forms/uploads/php/files/3j5nun5seu7t3fcr5krpv540u2/38970556598.pdfIn PDF document text
    • http://teenmag.cz/userfiles/file/95091271577.pdfIn PDF document text
    • http://kimandyoo.com/userfiles/file/39670940961.pdfIn PDF document text
    • http://springswellness.net/wp-content/plugins/formcraft/file-upload/server/content/files/1609d1bb8b35d9---70942378.pdfIn PDF document text
    • https://minutesnap.com/wp-content/plugins/super-forms/uploads/php/files/23f737ca1c361b3572e75c1d6068a097/wumomokevazexujafozarame.pdfIn PDF document text
    • https://monacollection.ua/wp-content/plugins/super-forms/uploads/php/files/2143221bf8e6d1321805a963eff2a627/bosarujiwobuma.pdfIn PDF document text
    • https://srp-galabau-rostock.de/wp-content/plugins/super-forms/uploads/php/files/mqjntredab8ht78tkbhkbgtvth/kufuvuturuxavedufegi.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/BvfzZFkJO3s/uplcv?utm_term=related+in+tagalogPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000252c5.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x252C5 23964 bytes
SHA-256: 2b4481b97e736c0f19ce56be8a6c6a156ab704e7b19d0b9b701721dfa3e9725c
font_00_sfnt_off00023c0c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x23C0C 10200 bytes
SHA-256: 8030ec6b4cbb724aacdb87690efa3fd144a077db0d07a472e974886712380b35
font_02_sfnt_off00027df2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x27DF2 25492 bytes
SHA-256: 1e34fd25b93828f8c021aadd46ab1315f50388504d18baac80baadd04a1a1d31
font_03_sfnt_off0002b958.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2B958 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_04_sfnt_off0002d166.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2D166 39140 bytes
SHA-256: e1e34f878c600db39093908f7008ebe0a0094aab1f840d6a179e4469434f3b37