Malicious PDF — malware analysis report

Static analysis result for SHA-256 f03134605067a975…

MALICIOUS

PDF

90.1 KB Created: 2021-05-17 04:23:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c994e7bb165c1abf69be2d99ac430620 SHA-1: 12fc05ccef49de0d73190ddb65270d3c0e636563 SHA-256: f03134605067a975064c38b0c6ce00364ad1baf515d4b09e6139b842e724588c
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains numerous links pointing to compromised websites, likely intended to redirect users to malicious content or phishing pages. The document body, though heavily obfuscated, suggests a 'newsletter template' lure, aligning with common phishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.tenniscanberra.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1609474e06fedf---lotavumifixuzus.pdf
    • https://asiaviews.org/wp-content/plugins/super-forms/uploads/php/files/5itco1pns2u4h41oahlf99kvs5/likimovitovosukupapufekek.pdf
    • https://www.grandiosa.is/wp-content/plugins/super-forms/uploads/php/files/5hcseb0igf19qfu2bmjqidntv6/kotumulebexuvopupenexewo.pdf
    • https://evg-prague.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1606c961a8f508---kexekilud.pdf
    • https://www.jahnigterbraak.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1609f4bbc3cf07---56246855809.pdf
    • https://mithermomix.com.mx/wp-content/plugins/super-forms/uploads/php/files/6eda389a819d0e0c70eee31aa3d5124d/negafiw.pdf
    • https://sandalyecenneti.com/wp-content/plugins/super-forms/uploads/php/files/iq3gb42tpl9b31pu97f9lk7s8e/15196238472.pdf
    • https://www.harasportcenter.com/wp-content/plugins/super-forms/uploads/php/files/q1u3gkfeg48fc1u6mopdsojnka/zibematuka.pdf
    • https://polinagerz.ru/wp-content/plugins/super-forms/uploads/php/files/82ud0l0ofdhgmabip7ujtoapd6/borigipa.pdf
    • https://drahmetbostanci.com/wp-content/plugins/formcraft/file-upload/server/content/files/16099dc4fbc2fd---3180604049.pdf
    • https://bbensonmft.com/wp-content/plugins/super-forms/uploads/php/files/358d33592fbc2aac7e7330936b1aeaa3/91058968572.pdf
    • http://www.luminicaambiental.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609d880f8d29f---komebozofafexujuk.pdf
    • https://www.cfo-search.com/wp-content/plugins/formcraft/file-upload/server/content/files/16090b7d6cfcd4---raxelinolig.pdf
    • https://cplastik.cz/data/cms/file/tatifuramolosewa.pdf
    • https://unicornproduction.gr/wp-content/plugins/super-forms/uploads/php/files/0f59c52d312b526ba00d1a1a45ea837d/rogedesigovajegexupumi.pdf
    • http://romanakladatelstvi.cz/userfiles/file/xaravefoveworif.pdf
    • http://ipvoicenj.com/wp-content/plugins/formcraft/file-upload/server/content/files/16077937bee423---16610481730.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/fzgW7-mxBc0/uplcv?utm_term=newsletter+template+outlook
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001277e.bin
97386d4b104a5e46b945a97c1f8e34adb767c111fb46d4b7f03214fce3b7f449		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1277E 5092 bytes
font_01_sfnt_off000138c7.bin
8caf6de605d9ed6a50fc2b1a9237b41878d347ed0631f79e8fb2f007a8f2c6eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x138C7 10288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.