Malicious PDF — malware analysis report

Static analysis result for SHA-256 eba48a2eadd68c42…

MALICIOUS

PDF

112.7 KB Created: 2021-06-10 14:59:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6639d01baadd046b0e61ef88a55eecde SHA-1: 983414f33a1fc42cfc695868134165fad2a8c30d SHA-256: eba48a2eadd68c42d617343d2b7fc84734de00995a49bf84362894414abf2a81
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded URLs, many pointing to compromised WordPress sites, suggesting a link farm designed to redirect users. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware distribution. The presence of multiple distinct hosts and the use of 'utm_term' parameters in URLs further support the classification as a link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://catamma.ru/uplcv?utm_term=123movies+new+site
    • https://www.toptalentusa.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e365bb8cfa---76077172454.pdf
    • http://elmiraclassiccountry.com/wp-content/plugins/super-forms/uploads/php/files/iaslv6pqk249u7dkp4l0revsd4/zakobumaga.pdf
    • http://www.medical-psychology.gr/wp-content/plugins/formcraft/file-upload/server/content/files/1607ae9ed10a20---jexowuxepimabokoj.pdf
    • http://bestforfishing.com/wp-content/plugins/super-forms/uploads/php/files/97e7715438eae5b28f9bc995ea58b41a/misif.pdf
    • https://hmjrgoldhockey.org/wp-content/plugins/super-forms/uploads/php/files/53ffe6a256987d311d81ddb8457473e8/nekikodipipowakifigujufe.pdf
    • https://www.americansummercamps.com/wp-content/plugins/formcraft/file-upload/server/content/files/160888fd490095---nisupabexulijo.pdf
    • https://zazilha.com.mx/wp-content/plugins/super-forms/uploads/php/files/fce5eb38203be6ae4711f9b9a9a418cc/donibeketunom.pdf
    • https://www.lenoir-elec.com/wp-content/plugins/super-forms/uploads/php/files/bmt7pk57stcf2835dn8p2t58ac/junevufawejazoraxivubazor.pdf
    • https://www.saenger-ohg.de/wp-content/plugins/formcraft/file-upload/server/content/files/160963bf500078---79149196156.pdf
    • http://www.theflightfest.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f4d7e931fc---vizez.pdf
    • http://www.lugashotel.com/data/editorfile/voros.pdf
    • https://www.duffylighting.com/wp-content/plugins/super-forms/uploads/php/files/c007c89640728c93f1d2f83a0ebbdc7d/63666499460.pdf
    • https://armagedonspedycja.pl/files/file/pibopemusi.pdf
    • https://1877painters.com/FCKeditor/file/buvikupipidegedoxuwuketu.pdf
    • http://www.recetasyconsejos.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609ac5c3b4e76---42504838238.pdf
    • http://aiswaryamatrimonials.com/fck_uploads/file/zunobimu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000123f5.bin
3559b831a7488f103b01f7391d9f686587ce2372551f4eba95ec27edc080a50b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x123F5 6768 bytes
font_01_sfnt_off000134e5.bin
c4f788fb4fe6f6fe845488daa37bb9d52577ac897a5696416216ce19c7a7b02b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x134E5 3348 bytes
font_02_sfnt_off000140ef.bin
5fa6704a95959baf7d359f720d249725c0538f3e0f9068b6ed99906ce1c96c96		 pdf-font-stream PDF embedded font (sfnt) at offset 0x140EF 4688 bytes
font_03_sfnt_off000150d4.bin
0ca432b14badc77bd42ddd398db069c0a323a9100b2531b7198d7b8a3987a56f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x150D4 16292 bytes
font_04_sfnt_off00017f22.bin
9424f431da3a660e2ce3dd11a408ff35017958d48db1a719869cd351b4f953ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17F22 16972 bytes
font_05_sfnt_off0001977b.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1977B 4324 bytes
font_06_sfnt_off0001a53e.bin
272a676c144b2df2c59e6e7e2c4eb01c6f42c89298634fb8e78221867a80fedf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A53E 6224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.