Malicious PDF — malware analysis report

Static analysis result for SHA-256 ed4c3df499d6d785…

MALICIOUS

PDF

89.5 KB Created: 2021-07-09 12:04:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 3a31605404f3bc25a351785cc1efa362 SHA-1: 61a6383f08bfaf6e52313c1ddb701cae8333b92b SHA-256: ed4c3df499d6d785bce497b35b6644f984c1139920d2e831360c420010299755
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was flagged by ML classifiers and ClamAV as malicious, exhibiting characteristics of a callback phishing lure. The document likely exploits a PDF vulnerability to execute code, aiming to trick the user into calling a provided phone number under the guise of a billing or support issue. Numerous URLs were found, many pointing to compromised CMS upload directories, suggesting a distribution infrastructure for malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9942

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://firegallery.ru/img/upload/58580255244.pdf
    • http://gf-location.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1608b6be8cd67d---54720122717.pdf
    • https://realimpacto.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160c2a405435e1---larononinibif.pdf
    • http://alpha-th.com/userfiles/file/22086542961.pdf
    • http://czdashan.cn/uploadfile/file/2021053110161173499.pdf
    • http://www.platformliften.info/wp-content/plugins/formcraft/file-upload/server/content/files/1609cf6dc17745---86310468054.pdf
    • https://givemeit.ru/wp-content/plugins/super-forms/uploads/php/files/9e452b5de153eac328fa07c037bf0960/15504197401.pdf
    • https://altonika.pro/files/fck/file/laxubowodowopijusidos.pdf
    • http://meadescafe.com/userfiles/file/27679849682.pdf
    • https://mauspro.net/upload/files/xolidusadetovofok.pdf
    • http://ontheedgeofnow.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607cc0416b323---8999444746.pdf
    • http://www.brennholz-heinlein.de/wp-content/plugins/formcraft/file-upload/server/content/files/160a851f6eda15---zujebibit.pdf
    • https://creativesilhouettes.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16073205a4a71b---99800531058.pdf
    • http://wahluenfty.com/userfiles/37981139142.pdf
    • http://melissajacksonmd.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609450b2e84ba---teroz.pdf
    • http://www.ellisrasbetonwerke.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160ba7d437e554---lixibozanufedejawijixozol.pdf
    • http://accronline.com/userfiles/file/lelewejedefev.pdf
    • http://macautemple.com/userfiles/file/gewivitaresugo.pdf
    • http://a-range.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1607509447adc0---11791243879.pdf
    • http://aklond.com/UploadFilesfile///2021060411365852.pdf
    • https://lion-trading.co.uk/wp-content/plugins/super-forms/uploads/php/files/ft078gd7fsauir6564arapnieo/35043940141.pdf
    • https://geneolock.com/locktactyuma/userfiles/file/worakidev.pdf
    • http://staging.impactredevelopment.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ac677e64fc8---furuwebote.pdf
    • https://craftsmancuttingdies.com/wp-content/plugins/super-forms/uploads/php/files/265230c5b7717ea9a81d0129701b2af1/muxebonedurugikugep.pdf
    • https://izharfoster.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607af8240a24b---xedamibodojowulaz.pdf
    • https://feedproxy.google.com/~r/skout/mBVl/~3/3vuEKuznOb8/uplcv?utm_term=do+not+attribute+to+malice
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f752.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF752 16792 bytes
font_01_sfnt_off00010f69.bin
7ffdca0a0f73158cd488026ba7083e3d635179f31205481f69990839280c738c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10F69 10464 bytes
font_02_sfnt_off00012723.bin
3a3b070dac949ce9c4ed011d3f667cf1e0bf5f23cf510b77e0e32c30633e0bd5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12723 18220 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.