Malicious PDF — malware analysis report

Static analysis result for SHA-256 dd9dab6c8d805a5c…

MALICIOUS

PDF

241.3 KB Created: 2021-06-30 18:37:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 0dae69b75297813b123354c4b2fca544 SHA-1: 7da54d95c6acf8ce16284635ad1d34b4541e24d8 SHA-256: dd9dab6c8d805a5cabbacb5359785e4b3962513515c8db89c0ddcf66da065070
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous links, with several pointing to compromised WordPress sites hosting PDF files. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded links suggest it's designed to redirect users to malicious content, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8878

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://sjalikave.hu/pictures/file/dutuxu.pdf
    • http://boulderdivorcelaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16096f1b65d184---fedumiletuz.pdf
    • https://hsegroup.ru/wp-content/plugins/super-forms/uploads/php/files/he9jou30flm25ri9etejrtph15/kedufuk.pdf
    • https://visualarchive.bg/files/guzuwawivedu.pdf
    • http://www.kocay.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160d1c83e04d43---xozokaxekiwelapopezum.pdf
    • http://infinity-pro.ru/userfiles/file/zikibesadasozefolodarasa.pdf
    • http://www.sunargrup.com.tr/wp-content/plugins/super-forms/uploads/php/files/otsi2ir2omog3vsvenai07t0u1/komurikexibesagobivupuf.pdf
    • https://goactive.hu/wp-content/plugins/super-forms/uploads/php/files/12deeddad21bdcf9d4ae9adaaeee0b2b/75946305854.pdf
    • http://evohome.pl/userfiles/file/jaromifok.pdf
    • https://www.3dreamchurch.com/wp-content/plugins/super-forms/uploads/php/files/a47bda752de6c63d492be56f33a4b37c/tovokizuxitikig.pdf
    • http://subventionsbetrug.de/wp-content/plugins/super-forms/uploads/php/files/6pq9u01970k9d8gedqtufndhqd/59440294449.pdf
    • http://kwik-it.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160bdb2d4067f0---53972908202.pdf
    • https://www.heracles-hotel.eu/wp-content/plugins/super-forms/uploads/php/files/ijri68pk90tp867scdp5h36vbv/58751145724.pdf
    • http://pebyte.com/wp-content/plugins/super-forms/uploads/php/files/cttqsj0ft2t6jouahkef8tug9l/fedole.pdf
    • https://wendi101.com/userfiles/file/21599294403.pdf
    • http://asckhn.com/acskhn/userfiles/file/mizizet.pdf
    • https://dentinale.eu/wp-content/plugins/super-forms/uploads/php/files/c1b1f76d80b82a0d20be2fe7299d7f0f/35310805713.pdf
    • https://www.hagensmarketing.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607870b3a3849---jedutakuxapitowidugosawob.pdf
    • https://mygamedaysports.com/wp-content/plugins/super-forms/uploads/php/files/14a04e5a15a264805b7383bd62444ed6/gonuloxi.pdf
    • http://zadonskiy.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160bb60e195807---36683450546.pdf
    • https://emmaushuis.org/pages/46017238545.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/LPIa9PGmDLg/uplcv?utm_term=blue+yeti+connect+to+iphone
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001c191.bin
7930690cc52a2a5fbe7405edd13db551ca9e961f325f38d9f744c7e1371af257		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C191 16160 bytes
font_01_sfnt_off0001d733.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D733 16792 bytes
font_02_sfnt_off0001ef4a.bin
a83d06966128c96fe2182f530488f78d07c4026496d7ba63238c76d524f41f85		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1EF4A 10308 bytes
font_03_sfnt_off00020678.bin
d5c1f78540fabbe23d361a3f1c9980930ec6c5d5360cec49f7ffa18252ba6ae3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20678 156020 bytes
font_04_sfnt_off0003820f.bin
682a4e6a08e1580f7192b2b70fb1085f5c8fe0f5c4ab6f183c9b20721f3c8a27		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3820F 19528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.