Malicious PDF — malware analysis report

Static analysis result for SHA-256 edaebbb9837e1ae6…

MALICIOUS

PDF

88.3 KB Created: 2021-08-07 01:07:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-29
MD5: 42880139bf7ed97f8d48309bed52e77e SHA-1: 38b10107179459164f875fa091cbf1af2d51cf28 SHA-256: edaebbb9837e1ae6f70acde024eddf94cc66716f97e4c4c3462441ecbc78eb3a
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and numerous external links, many pointing to compromised websites or disposable hosting, indicating a link farm for phishing or malware distribution. The ML classifier and ClamAV detection strongly suggest malicious intent. The embedded JavaScript likely facilitates the redirection to these malicious URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9949

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://locktactyuma.com/ckfinder/userfiles/files/rebexoni.pdf In PDF document text
    • https://peilimineko.com/userfiles/file/lavivimufo.pdfIn PDF document text
    • http://bezpieczna-strefa.pl/wp-content/plugins/super-forms/uploads/php/files/f3a2d87cf56dbecd4cbc7c6c16b0ad0a/67788697235.pdfIn PDF document text
    • https://avenue102.com/uploads/file/lorosaxuserubefumaj.pdfIn PDF document text
    • http://qboardapp.com/wp-content/plugins/super-forms/uploads/php/files/d5c8ea781aafcd9d9ee82e01cdc7e91a/50481698670.pdfIn PDF document text
    • http://decom.pro/admin/ckfinder/userfiles/files/vejirefekobumozim.pdfIn PDF document text
    • http://www.lavalledesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a7ee844bcc4---17023542231.pdfIn PDF document text
    • https://riolospettacoli.it/filesUploads/file/vumukedonixetemiva.pdfIn PDF document text
    • https://boldvision.tv/wp-content/plugins/formcraft/file-upload/server/content/files/160acf9a1f119c---42381126277.pdfIn PDF document text
    • http://cukorbetegshop.hu/files/xokidifo.pdfIn PDF document text
    • http://theopenhouseclub.com/wp-content/plugins/super-forms/uploads/php/files/2862ef487e7101380d3f69b597c36819/21799209571.pdfIn PDF document text
    • https://foundryindia.org/userfiles/file/85383808687.pdfIn PDF document text
    • https://ballestermultiservicios.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607569d7e5f21---rafobevozesavivurifegimo.pdfIn PDF document text
    • https://verlauf-ekb.ru/admin/ckfinder/userfiles/files/91245657254.pdfIn PDF document text
    • http://www.fattyweng.com.sg/wp-content/plugins/formcraft/file-upload/server/content/files/1608a17e979083---13962315318.pdfIn PDF document text
    • https://enville.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a2841e163d4---48532285025.pdfIn PDF document text
    • http://duepassidalcentro.it/userfiles/files/kuwibe.pdfIn PDF document text
    • http://konstruktor33.ru/app/webroot/files/files/30588875368.pdfIn PDF document text
    • http://kozelskadm.ru/files/uploads/files/zukutaroben.pdfIn PDF document text
    • https://bluebeakbranding.com/wp-content/plugins/super-forms/uploads/php/files/2936719ad34c71d67f5c4a8cec29b52b/balorezelavuliliwi.pdfIn PDF document text
    • https://www.euroservicemilano.it/wp-content/plugins/formcraft/file-upload/server/content/files/1609e8526862fb---wovumemipikazivutiluzi.pdfIn PDF document text
    • https://cffcommunications.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1/160738ec0d1531---40528462981.pdfIn PDF document text
    • http://www.nisbd.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a38628ab12c---zutijegupovuxoxomikadif.pdfIn PDF document text
    • https://xlux.vn/wp-content/plugins/super-forms/uploads/php/files/04gqvbv1q6t40a6725hlvo5gr5/22982402852.pdfIn PDF document text
    • https://sipare.com.ar/wp-content/plugins/super-forms/uploads/php/files/8p0k2agvsr33u4ehlkcodc4qhv/58688184005.pdfIn PDF document text
    • http://chinhsuasolieu.com/media/files/62283760998.pdfIn PDF document text
    • https://www.theoakshealthcare.com/my_content/js/ckfinder/userfiles/files/takipufa.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/GLLx1DTH0VQ/uplcv?utm_term=how+to+connect+your+xfinity+remote+to+your+tv+volumePDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f3da.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF3DA 17108 bytes
SHA-256: ed11b19bb4c52e971f0bbacd98fb70ebf9a810dccb38fce3504e00a22a3452a6
font_01_sfnt_off00012019.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12019 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00013830.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13830 10628 bytes
SHA-256: bbea57f6b812000563112cb00d6e19024c36f1a2b3676622759272f73a5b568d

Open this report in the interactive analyzer, or submit your own file for analysis.