Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6b034dcef3f7403…

MALICIOUS

PDF

113.1 KB Created: 2021-06-30 05:33:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-13
MD5: 9eaac1d542d82853376c1b08e24ba650 SHA-1: 772a254bc539785f89536d9f3d3ccb6d094724ba SHA-256: e6b034dcef3f74035464a0b9e73557d9afcd2969e856c631e1f8d6b08ac2522c
172 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected by ClamAV as a phishing trojan. It contains numerous links to external PDF files hosted on compromised WordPress sites, suggesting a link farm designed to obscure the ultimate destination. The heuristic 'SE_INVOICE_LURE' indicates the document likely uses a fake invoice or payment pretext to encourage user interaction with these links. While no scripts were explicitly extracted, the presence of embedded URLs and the nature of the heuristics suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9965

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://sakitonus.ru/wp-content/plugins/super-forms/uploads/php/files/b5cda2a17006ac196079a649ec959d02/vefinefitejasedebedegup.pdf In PDF document text
    • https://barcelonamedicalcenter.com/files/galeria/files/bubapuroradereg.pdfIn PDF document text
    • https://doitsolutions.co/wp-content/plugins/super-forms/uploads/php/files/9735d2e4c01adf1a24fea37a79e47fe0/pazanezukodasefetavone.pdfIn PDF document text
    • http://miamiwars.pl/wp-content/plugins/super-forms/uploads/php/files/cc5b3a91e802638e770c8cd6d2d7fa61/sikuduf.pdfIn PDF document text
    • https://orkhaconstruction.com/wp-content/plugins/super-forms/uploads/php/files/ket6ot1npcbpvcbulihcv1ud9a/44491403744.pdfIn PDF document text
    • https://govox.co.uk/wp-content/plugins/super-forms/uploads/php/files/unu3hhsn5h9furp9f4umn0l6p5/87421299906.pdfIn PDF document text
    • http://mirembeestate.co.ug/wp-content/plugins/formcraft/file-upload/server/content/files/1608b5dfea5837---lozazapidevinus.pdfIn PDF document text
    • http://aldara-latinoamerica.com/userfiles/file/38874105991.pdfIn PDF document text
    • https://cor.org.ar/wp-content/plugins/super-forms/uploads/php/files/qmpis3k6k9aal2hlq8rqrni67d/45671560287.pdfIn PDF document text
    • http://fabrykakonwersji.pl/wp-content/plugins/super-forms/uploads/php/files/d8e55602dfb4efe10b226706d433bee3/towopifugosig.pdfIn PDF document text
    • https://www.sixteengrams.com/wp-content/plugins/super-forms/uploads/php/files/1itqft5o3nfea88brqu3lt9pph/xetokilusajuju.pdfIn PDF document text
    • https://lasvegasrebath.com/wp-content/plugins/super-forms/uploads/php/files/fe352eb0518419412f0272d9e3258de1/71869453853.pdfIn PDF document text
    • https://www.groupenahno.com/wp-content/plugins/super-forms/uploads/php/files/ta29rnj6j9ouavci1h3ou2vkjl/lizawejidudefunitigujodim.pdfIn PDF document text
    • https://robotics-institute.com/wp-content/plugins/super-forms/uploads/php/files/shfkagljmh0d52o937fj0v7r7h/fawixemafi.pdfIn PDF document text
    • https://luxmarketing.agency/wp-content/plugins/super-forms/uploads/php/files/4qcmchp8injmmb0nrdb548o0f8/60161868136.pdfIn PDF document text
    • http://somersetcountybar.org/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/13223594688.pdfIn PDF document text
    • https://cms.blauraum.com/wp-content/plugins/super-forms/uploads/php/files/997bb5129c365622a5a883a6036fa182/wugebibevewufafekosumek.pdfIn PDF document text
    • https://www.kasekimi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d859c17640---nabelatibas.pdfIn PDF document text
    • http://hattrick-sports.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ce7d4cd8a97---34731818231.pdfIn PDF document text
    • https://telewebmarketing.com/FCKeditor/file/vifowiba.pdfIn PDF document text
    • http://conservationenergy.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bd5433a6ccf---69514530575.pdfIn PDF document text
    • https://kvgrup.com.ua/wp-content/plugins/formcraft/file-upload/server/content/files/160958fd571131---71674873145.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/6naE_Nh8_CY/uplcv?utm_term=james+turrell+paintingsPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015842.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15842 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off00017054.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17054 18192 bytes
SHA-256: 288e81a974428156194784989f904a759723fa415efbe90a832d30e27cf00eab
font_02_sfnt_off00019fb2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19FB2 10564 bytes
SHA-256: 7db70b83f05f830b25520b0a73e6a4bd63df008ba73d0e7e308b9d324caebf11

Open this report in the interactive analyzer, or submit your own file for analysis.