Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6375dfc49a10433…

MALICIOUS

PDF

88.9 KB Created: 2021-08-04 19:49:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: d1717779a2a73511632d227c9f3f97f3 SHA-1: 8fc26e6cf85679b7105b7ebbe5c937e53e5dbd66 SHA-256: e6375dfc49a104331c895b8b6b792f2af1e6e7ada86429d999c685c7d4b558cd
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains numerous links to external PDF files hosted on compromised websites, suggesting a link farm or distribution mechanism. Crucially, the document contains an explicit instruction to disable security software, indicating a direct attempt to bypass defenses and facilitate further malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://abwmechanicsville.com/uploads/files/70471159884.pdf In PDF document text
    • https://kolbandibileklik.com/resimler/files/fabeninasutawa.pdfIn PDF document text
    • https://accuratesearch.com/userfiles/file/patavuxajo.pdfIn PDF document text
    • http://lifestyleufa.ru/wp-content/plugins/super-forms/uploads/php/files/306fb4e59a54d5d9c34b4b862083c4de/luviline.pdfIn PDF document text
    • http://gapp.fr/medias/files/80314639952.pdfIn PDF document text
    • https://grand-forge.ru/wp-content/plugins/super-forms/uploads/php/files/ca833de3fbe7621766822a0afce0fe46/85078098884.pdfIn PDF document text
    • https://admonks.ru/wp-content/plugins/super-forms/uploads/php/files/73638848a92bc3e0e4837e024d222e38/kunaridezefevi.pdfIn PDF document text
    • https://thehamptonsbloomington.com/wp-content/plugins/formcraft/file-upload/server/content/files/161074398eb673---66148362708.pdfIn PDF document text
    • http://toyteepee.com/uploadfiles/file/2105180056134086406wgiik.pdfIn PDF document text
    • https://hotelristorantenovecento.it/wp-content/plugins/super-forms/uploads/php/files/aceaa0f0bdd7c900ab500c07fc283ac6/josuzokijuleminerop.pdfIn PDF document text
    • https://gaseg.com/wp-content/plugins/super-forms/uploads/php/files/tq5i528d9ma1bd82gm43tpl811/vajezinafavomid.pdfIn PDF document text
    • http://446888.top/userfiles/file/wenerewelolorow.pdfIn PDF document text
    • https://www.digitalsofts.com/wp-content/plugins/formcraft/file-upload/server/content/files/160f3f975a641b---84072392246.pdfIn PDF document text
    • http://aarogyamedico.com/userfiles/file/90682312140.pdfIn PDF document text
    • http://wsp.pl/userfiles/file/16378447298.pdfIn PDF document text
    • https://banktapeunadana.com/tapeunadana/bank2/admin/userfiles/file/dojuvelusafalokesudimiko.pdfIn PDF document text
    • https://autotrilogy.com/wp-content/plugins/super-forms/uploads/php/files/9650a3564a50ed405db845510ab3f5f3/5161601148.pdfIn PDF document text
    • http://www.dramayaramendes.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1606fdf135cabf---21277537663.pdfIn PDF document text
    • http://freemansphotography.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607dbe7e5931c---62641198512.pdfIn PDF document text
    • https://slavica.ru/wp-content/plugins/super-forms/uploads/php/files/819ae81819d9286b156180ae28a86ba4/61038439925.pdfIn PDF document text
    • https://noblacklist.pro/web/img/podborky/files/85959905804.pdfIn PDF document text
    • http://ecohort.com/userfiles/files/70915136584.pdfIn PDF document text
    • http://thanhlamresort.vn/wp-content/plugins/formcraft/file-upload/server/content/files/160a0bf9828227---panelufutudab.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/A3Ryygt5BCM/uplcv?utm_term=roblox+exploit+level+7+free+downloadPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000db9c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDB9C 10812 bytes
SHA-256: 18a924475ab03011e012014f2ee6703629effadc37689fd3cf29707de7003629
font_01_sfnt_off0000f482.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF482 16292 bytes
SHA-256: 57bce5c71454b5200a4d6e5c30d1eb977ff014dc513195aa4465287a49d6fdff
font_02_sfnt_off00010a98.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10A98 18108 bytes
SHA-256: 57b82c40af90c380077df223360f70c0e1460a840850c57ea2849c6391b07b46
font_03_sfnt_off00013abc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13ABC 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.