Malicious PDF — malware analysis report

Static analysis result for SHA-256 e50f7d088ad61fa2…

MALICIOUS

PDF

153.8 KB Created: 2021-07-08 02:10:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-16
MD5: 0033e41f74316e68f34cb84dc17c2fec SHA-1: 432bc520e0b2d2c73488dc43ea4f44bda3612742 SHA-256: e50f7d088ad61fa2ac88bed3e2c0a11fcefdd45a1e936a533d93d02748a65ae7
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan threat. It contains embedded JavaScript and numerous links pointing to compromised websites and disposable hosting, characteristic of a link farm designed to redirect users to malicious content. The primary attack pattern involves luring users through these links, likely for credential harvesting or further malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9303

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://szaniterplaza.hu/ckfinder/userfiles/files/3026095689.pdf In PDF document text
    • https://alternativecarrepair.com/userfiles/file/58463678124.pdfIn PDF document text
    • http://www.cuerpomenteyespiritu.es/wp-content/plugins/formcraft/file-upload/server/content/files/160afc40c1738e---motapojeteferedunaxona.pdfIn PDF document text
    • http://www.webtony.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1609b599112d58---zilefovididoluralipif.pdfIn PDF document text
    • http://brandiassociati.it/userfiles/file/denigokemizewexexeguvowa.pdfIn PDF document text
    • http://www.champcaregivers.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609fe3629139d---32666442818.pdfIn PDF document text
    • https://avis-medical.ma/wp-content/plugins/super-forms/uploads/php/files/755c6ea62d5648b06d3f6a312532ef9e/karewaxawivovumijuwig.pdfIn PDF document text
    • http://galluccifaibano.it/userfiles/file/zeximiwesezexosasusu.pdfIn PDF document text
    • https://orkhaconstruction.com/wp-content/plugins/super-forms/uploads/php/files/2krq3v4q2u1amv1r58dap29v6b/33840080066.pdfIn PDF document text
    • https://communeouchamps.fr/userfiles/file/sunenivalebibajow.pdfIn PDF document text
    • https://leo-translate.com.ua/wp-content/plugins/formcraft/file-upload/server/content/files/1607444c657908---lefopovi.pdfIn PDF document text
    • http://richardarnoldalumni.com/clients/a/ad/ad1dcfa6f69ac51e3fe6bec18f6cf6d6/File/65567020814.pdfIn PDF document text
    • http://ferramentabelleggia.it/public/file/newodimugutexawunupenefi.pdfIn PDF document text
    • https://nam.it/wp-content/plugins/formcraft/file-upload/server/content/files/160b2ee869ae39---84234298380.pdfIn PDF document text
    • http://sincaremedicaltour.com/js/upload/10256994349.pdfIn PDF document text
    • http://davidhammerstein.org/userfiles/file/pagokupamagujegupote.pdfIn PDF document text
    • https://lightsourceindiana.com/wp-content/plugins/super-forms/uploads/php/files/1618fbd16b0dd2da9782a2e58ebd2819/70603299024.pdfIn PDF document text
    • http://objetivovender.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608e51912730f---69850555593.pdfIn PDF document text
    • http://nail-free.com/ckfinder/userfiles/files/vakudafole.pdfIn PDF document text
    • https://www.lashharmony.co.uk/wp-content/plugins/super-forms/uploads/php/files/b9tefc0d2o3skns0gt2boucau9/kikukipinuxadawubug.pdfIn PDF document text
    • http://amirafouad.com/uploaded_files/file/kilagojeletixakujetomogol.pdfIn PDF document text
    • https://www.napariverinn.com/wp-content/plugins/super-forms/uploads/php/files/431472917361b5216b6369f163f3765a/sufuteganumivu.pdfIn PDF document text
    • https://sandalyecenneti.com/wp-content/plugins/super-forms/uploads/php/files/0o9ka1cmfngufg9437jiek1c8c/xegepatidirewimame.pdfIn PDF document text
    • http://www.fattyweng.com.sg/wp-content/plugins/formcraft/file-upload/server/content/files/1608446c766f46---nugoxodulujilapu.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/BvfzZFkJO3s/uplcv?utm_term=meaning+of+washermanPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0001cc25.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1CC25 35972 bytes
SHA-256: 36838d39a4089abefb6756dd67f3ff3b1e3241c35ad0336b45dca1660336c7f2
font_00_sfnt_off00014a8d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14A8D 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0001629f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1629F 38252 bytes
SHA-256: 3dce8c4a7d26511c82f3f594eda9ca9b3c83d491e168a47c77d113e064972a4f
font_02_sfnt_off0001b41b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1B41B 10596 bytes
SHA-256: 8c51d40eaec2fb9e266356c81ccd1fbfd4cece5a2f01d2a21998b12e00c31ba8
font_04_sfnt_off0002107c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2107C 25196 bytes
SHA-256: 14482c6087b8789fe0a01935c31bfa16546b82c16ce3c08d597ae360c0ff9235

Open this report in the interactive analyzer, or submit your own file for analysis.