Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb2bbdf65d43b9a6…

MALICIOUS

PDF

80.4 KB Created: 2021-06-25 14:05:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 91fdf19720e5256f7bcd96787bcb91d2 SHA-1: 3be0031c9f53bfd95a0fd32608d13227aed93916 SHA-256: eb2bbdf65d43b9a67f8cb53b936c018131898df9a403a5e1b357f68b88f109e0
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by multiple heuristics as malicious, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. The file contains numerous links pointing to compromised WordPress upload directories and other disposable hosting, suggesting it functions as a link farm to distribute malicious content. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.petersmetalstitching.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1609bd8ab9daa6---27615465442.pdf
    • http://eros-arena-reutlingen.de/eros/userfiles/file/54582167647.pdf
    • https://kicksomeglass.com/wp-content/plugins/super-forms/uploads/php/files/5504023bfd202e99d5b77aaf5bad0efd/8367755843.pdf
    • http://www.pointcookelectrician.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160cbb38cbde4d---zekubiwawotabiwepap.pdf
    • https://nanyangtextile.com/userfiles/file/8484793211.pdf
    • https://creationstationdance.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606cc40f32293---86017066535.pdf
    • https://www.bluegreenshouseboats.in/wp-content/plugins/formcraft/file-upload/server/content/files/1606f145018139---notofuvo.pdf
    • https://cullinanconstruction.com/wp-content/plugins/super-forms/uploads/php/files/1a5d9ftlc1fjk0fthqupgvcqp9/jujezuritutimisemas.pdf
    • http://halvani.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607fec3395936---xaximoduvisulalo.pdf
    • http://zoop-tech.com/ckfinder/userfiles/files/zodepuxibewefamovo.pdf
    • https://www.nuyew.academy/wp-content/plugins/super-forms/uploads/php/files/adc291cbaf713d751bc5105d2f9296dc/22002107565.pdf
    • https://deconkhoemanh.com/wp-content/plugins/super-forms/uploads/php/files/8sopb5s68aicd54mnhh4lhaldc/somamenopiwidixelonos.pdf
    • https://unicornproduction.gr/wp-content/plugins/super-forms/uploads/php/files/8df3f6c52948d9410eb12b937e831841/202259492.pdf
    • http://jp-photo.cz/soubory/files/faborogolumigatebasewunaj.pdf
    • http://jshtextile.com/UserFiles/file///37116569754.pdf
    • http://phantasos.org/userfiles/file/novojosubituwuv.pdf
    • http://www.julitolaschools.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608834b75b731---84535903883.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/S30rS-6n6vg/uplcv?utm_term=unsaturated+definition+chemistry
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d513.bin
6ce92b05d476a5b0b41c191816bccaf9bf6bb35d90d180df53fc649ca2150b69		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD513 10916 bytes
font_01_sfnt_off0000ee37.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE37 16792 bytes
font_02_sfnt_off00010649.bin
c2023c4940f674b468776d4b077cf5ed52269e69a84ebed39768f05213b06044		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10649 17732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.