Malicious PDF — malware analysis report

Static analysis result for SHA-256 ed787ad54a1dc17f…

MALICIOUS

PDF

84.3 KB Created: 2021-09-03 04:59:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: e2c6add3b100be3380ea2c67105ed410 SHA-1: 5160262be18b2c832bb7b921e096aac6cae00fac SHA-256: ed787ad54a1dc17fa95ba94507dbcc25f327838ad8eb1907908058c1e9e75c86
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links pointing to compromised WordPress sites and disposable hosting domains, indicating a link farm designed to lure users to malicious content. The ClamAV detection and ML classifier strongly suggest this PDF is malicious, likely serving as a phishing or malware distribution vector. No scripts were extracted, but the extensive use of external links is the primary indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9956

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ketchas.ru/uplcv?utm_term=bucoliche+traduzione+pdf PDF link annotation
    • http://parmalab.it/userfiles/files/8270876704.pdfIn PDF document text
    • https://luxmarketing.agency/wp-content/plugins/super-forms/uploads/php/files/79vl1p74aa0p1krqpe1ofop8ud/nelamilazux.pdfIn PDF document text
    • https://ochronaskory.pl/pliki_user/File/retewuxifilubijukarumuja.pdfIn PDF document text
    • http://3handseg.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f8b9cb34ce---81686395866.pdfIn PDF document text
    • http://francisfamilyreunion.net/clients/870293/File/mavemesutoxibujuzelax.pdfIn PDF document text
    • https://seataclightingalaska.com/wp-content/plugins/super-forms/uploads/php/files/70ea6464a5e5bd90dc9113baf58795fe/63147961704.pdfIn PDF document text
    • https://eobliecky.sk/userfiles/file/degigavadujoxifeka.pdfIn PDF document text
    • http://cristalensi.com/public/File/56555331882.pdfIn PDF document text
    • https://gdr.co.il/wp-content/plugins/super-forms/uploads/php/files/82177e84d08186da4e79cb704e39d6d6/10843196396.pdfIn PDF document text
    • https://brylka-kfz.de/wp-content/plugins/formcraft/file-upload/server/content/files/160d8a37a24719---forolajarad.pdfIn PDF document text
    • https://humble-brag.com/wp-content/plugins/super-forms/uploads/php/files/eroqqj6s4mavipo4eo9tmf8e72/85816961871.pdfIn PDF document text
    • http://www.ibadirect.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b6b6134e2b4---50336620440.pdfIn PDF document text
    • https://hmradiatoriai.lt/images/files/70980316113.pdfIn PDF document text
    • http://crystalnymph.by/wp-content/plugins/super-forms/uploads/php/files/4ddfcb53ead3ef5da0a4488ff5c684d3/14123321240.pdfIn PDF document text
    • https://storage-in-motion.com/wp-content/plugins/formcraft/file-upload/server/content/files/16093948714012---nozujitagomepujaf.pdfIn PDF document text
    • http://yuseigachi.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1607e8ed1a8c8d---tuzokelururixoz.pdfIn PDF document text
    • http://9meclinic.com/ckfinder/userfiles/files/ramefojupomo.pdfIn PDF document text
    • https://www.ideakliniksisli.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c9a51988d4---35611561161.pdfIn PDF document text
    • http://www.northeastmarquees.com/wp-content/plugins/super-forms/uploads/php/files/46d15ea945c9e6645419f161d28b7bed/fovuvimuxunenigi.pdfIn PDF document text
    • https://akproauto.com/nbloom/fckuploads/file/zavifemilovuguxad.pdfIn PDF document text
    • https://elpmarketing.ca/wp-content/plugins/super-forms/uploads/php/files/492ba6f48e78090ec42b2435d41021a9/96892105419.pdfIn PDF document text
    • https://www.davinci.dk/wp-content/plugins/formcraft/file-upload/server/content/files/1607c4940e82fb---43092998638.pdfIn PDF document text
    • http://ndc-group.ru/uploads/files/kakatudu.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e540.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE540 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000fd57.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFD57 10764 bytes
SHA-256: 945068c6e864e402093b4ccfd1445f374f11eaf683f525749e81b74a5b5d5808
font_02_sfnt_off00011610.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11610 17596 bytes
SHA-256: 685a88d14938633bd31a9577e8983f7ad1740bbbc3a17db592b0f183bb661aef