Malicious PDF — malware analysis report

Static analysis result for SHA-256 deb94335c6071628…

MALICIOUS

PDF

106.5 KB Created: 2021-06-25 23:19:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-25
MD5: 2953225b8b706da36920c551ee2f6fae SHA-1: 3308e8dd4680281bea6d899281ba3b6e557f17d2 SHA-256: deb94335c60716281bb943348ae597cf29e2143a68625b651d85c36c3d21bed4
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristics reveal it functions as a link farm, with many URLs pointing to compromised CMS upload directories, suggesting a phishing or malware distribution scheme. The document body is unreadable, but the presence of numerous external links and the 'PDF_SEO_DISPOSABLE_LINK_FARM' heuristic strongly support the link farm attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9797

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dianacb.cz/userfiles/file/tureturajenusop.pdf In PDF document text
    • https://livingcircles.ch/wp-content/plugins/formcraft/file-upload/server/content/files/160b4bff57d223---93419269087.pdfIn PDF document text
    • http://www.hollyskauaicondo.com/wp-content/plugins/formcraft/file-upload/server/content/files/16084668e2e835---logexidenamewu.pdfIn PDF document text
    • https://daiichitravel.com/uploads/news_file/divisokutavewidarodij.pdfIn PDF document text
    • http://e-hematologica.com/users//file/lagodutufufafited.pdfIn PDF document text
    • http://esoftland.com/userfiles/file/zixavigojawagaxegolilajav.pdfIn PDF document text
    • https://regenerativetherapyforpain.com/wp-content/plugins/super-forms/uploads/php/files/e8c87fbc15688206382bebba1cdda09f/nofig.pdfIn PDF document text
    • https://nikken-engineer.jp/export/sd205/www/jp/r/e/gmoserver/8/6/sd0748886/nikken-engineer.jp/fckeditor/upload/file/bilijomabazemi.pdfIn PDF document text
    • http://au-coeur-du-temps.com/userfiles/file/samufitonuwoxe.pdfIn PDF document text
    • http://perfectthesale.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d3834dd002d---55060478199.pdfIn PDF document text
    • https://menuiserie-sainte-anne.fr/userfiles/file/butaxumudinitipufura.pdfIn PDF document text
    • http://middlegeorgiacoinclub.com/wp-content/plugins/formcraft/file-upload/server/content/files/16082aafebbf7c---rinipoxosuxoretuz.pdfIn PDF document text
    • https://wurstfargo.com/wp-content/plugins/super-forms/uploads/php/files/21c424312909e3adc1c0663388862cbe/74488491521.pdfIn PDF document text
    • http://www.primalegal.eu/wp-content/plugins/super-forms/uploads/php/files/s11jphu9f6e6n7qhko2evgevs0/8024187428.pdfIn PDF document text
    • http://narcisse.sk/editor_uploads/files/32349771581.pdfIn PDF document text
    • https://qualitycountscleaning.com/wp-content/plugins/super-forms/uploads/php/files/7152ec83f79112fd6ec519336cf75854/65278934008.pdfIn PDF document text
    • http://www.lbf-cosmetics.com/website/wp-content/plugins/formcraft/file-upload/server/content/files/16092593b87b06---meloxedonojulug.pdfIn PDF document text
    • http://canyonoaksmtg.com/~duckdi5/canyonoaksmtg.com/content/file/11704746503.pdfIn PDF document text
    • https://realestateconnect.pro/wp-content/plugins/super-forms/uploads/php/files/h6fl65v9pfutladqigq5groqp2/79405176322.pdfIn PDF document text
    • https://jooli.ru/ckfinder/userfiles/files/mivomapovide.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160abd7ccb2447---jijedegirusimige.pdfIn PDF document text
    • http://ferrocom-spb.ru/userfiles/files/zuvivetexaro.pdfIn PDF document text
    • https://medgarlci.com/wp-content/plugins/super-forms/uploads/php/files/30a4c64e7bdcc6090a86cbb2fc7a0fe7/zemurilifiguwulared.pdfIn PDF document text
    • https://christianklein.eu/Quansis/ckfinder/userfiles/files/25954508525.pdfIn PDF document text
    • http://micronforgacsolo.hu/UserFiles/file/81737952283.pdfIn PDF document text
    • http://ubest.ru/images/file/vedemajoxeraz.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/zMnd8XtcwSM/uplcv?utm_term=be+bound+forPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000140a5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x140A5 10072 bytes
SHA-256: 726628bb04dd8ff4010f21c8a5e3cb3ef548f181c5ba15b11bce729fa6c016b8
font_01_sfnt_off00015725.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15725 17508 bytes
SHA-256: 9a72b370dfb72a1d3fb06d044ec0612ebdfa288837493abac3355e255a991a68
font_02_sfnt_off000184ef.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x184EF 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1