Malicious PDF — malware analysis report

Static analysis result for SHA-256 f0cfad99763189b5…

MALICIOUS

PDF

84.8 KB Created: 2021-07-18 15:12:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: d11b7c37fc0a6005c867f21f2e235688 SHA-1: 1755c2c31c0b4cbfb27883b504cf51365281ddb9 SHA-256: f0cfad99763189b5f273ae6c2e6a63af4f261a924c535a478df1f7518cc7f77e
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as a phishing trojan by ClamAV and flagged by an ML classifier. It contains numerous links to external PDF files hosted on compromised WordPress sites and disposable domains, suggesting it acts as a downloader or redirector. The SE_INVOICE_LURE heuristic further indicates a phishing pretext, likely to trick users into downloading a malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9956

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://etabetasurvey.com/userfiles/files/fadewomuxawej.pdf In PDF document text
    • http://gesundezellen.de/neu/userfiles/file/43845296176.pdfIn PDF document text
    • http://leinerpakgelatine.com/survey/userfiles/files/vazimadisisetavisezi.pdfIn PDF document text
    • https://www.modianodesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609a319fd174b---lijinidadasez.pdfIn PDF document text
    • https://www.mclarenpress.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609c2d8220a63---kojubamixarineledep.pdfIn PDF document text
    • http://aunay-sous-auneau.fr/ckfinder/userfiles/files/zaziseralukusixer.pdfIn PDF document text
    • https://schreinerheusi.de/wp-content/plugins/formcraft/file-upload/server/content/files/1606f6e6c1bb41---wivogezi.pdfIn PDF document text
    • https://kassa-evotor.ru/wp-content/plugins/super-forms/uploads/php/files/tda4sd6pj7cs5379cdsqqe79i2/fesuxubevaxotig.pdfIn PDF document text
    • https://alphaveneers.co.uk/wp-content/plugins/super-forms/uploads/php/files/fe0b9b0a9f6763e647914d9ee8e57e78/gugawumumitidusevezolapom.pdfIn PDF document text
    • https://aannemingsbedrijfbarthulsbosch.nl/userfiles/file/lobupexofifo.pdfIn PDF document text
    • https://www.dolphinrfid.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609afc109ccb9---60087926228.pdfIn PDF document text
    • http://csc-021.com/userfiles/file/20210705182536_vigvz4.pdfIn PDF document text
    • http://lilit-realty.com/wp-content/plugins/super-forms/uploads/php/files/129otoigona19qahs0c2jtf786/39235034212.pdfIn PDF document text
    • http://www.orhancoskun.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609b15786c200---97096470344.pdfIn PDF document text
    • https://www.lang-mayer.de/wp-content/plugins/formcraft/file-upload/server/content/files/160a157daaca16---77142512182.pdfIn PDF document text
    • http://xn----8sbpvg0afdbe.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/92f87jlbkk2b0hnet4ehls0jh2/fipepizekibufa.pdfIn PDF document text
    • http://cesmclassof68cheyennewy.com/clients/82478/File/vovumipi.pdfIn PDF document text
    • http://phonphangschool.com/upload/files/3183018918.pdfIn PDF document text
    • http://bochosushi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a27993186cc---fasurusetajelefev.pdfIn PDF document text
    • http://www.auditsi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160aa16f19b1a8---48679846190.pdfIn PDF document text
    • http://www.fullmooneye.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d26a9f716c1---91271161013.pdfIn PDF document text
    • https://fitnessrev.net/wp-content/plugins/super-forms/uploads/php/files/6h88bisah1jvnd1gll479uh66o/73676040919.pdfIn PDF document text
    • http://www.nuricomuvakfi.org/wp-content/plugins/super-forms/uploads/php/files/6h9255mp3c743402r91o1g1394/18778195517.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/GLLx1DTH0VQ/uplcv?utm_term=bill+lauch+nowPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb3c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEB3C 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off00010353.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10353 10068 bytes
SHA-256: ca5f84113130946ef18dbac7b5c2aa8a53b21e4ed8e010db92b1039c984e225e
font_02_sfnt_off000119ab.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x119AB 17152 bytes
SHA-256: 5f5868da92d75ae3185354d4eeda5da4dd73b14f9b8d9edaa0be93ab419bc1b4