Malicious PDF — malware analysis report

Static analysis result for SHA-256 f381c365f23d4a46…

MALICIOUS

PDF

366.8 KB Created: 2021-09-19 13:56:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26
MD5: f0e5ccd8400d2b88097c49587d93d41f SHA-1: b912e40720a4a1c58d8e662ca763cc181354b5e0 SHA-256: f381c365f23d4a46f5d2f1153921593316f2badfa09d7cb4f111dbf701a283bf
246 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links pointing to websites hosted on compromised CMS platforms and disposable domains, indicating a link farm designed to lure users to potentially malicious content. The presence of multiple embedded PDFs with suspicious static findings and ClamAV detections further supports its malicious nature. The primary attack pattern appears to be phishing or malware distribution via these external links.

Machine Learning

  • Nyx PDF Classifier clean score 0.0226

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://healhumanity.foundation/userfiles/file/vunoki.pdf In PDF document text
    • http://sinhorelli.com/userfiles/file/doresaridopugarefejez.pdfIn PDF document text
    • https://study-go.info/wp-content/plugins/super-forms/uploads/php/files/a640abab1a15ae374a4d1a311d57bf9a/bedasaxigojelunixit.pdfIn PDF document text
    • https://ietc-oman.com/userfiles/files/rawifewikudifanufinizo.pdfIn PDF document text
    • http://www.jesuseslaroca.org/wp-content/plugins/formcraft/file-upload/server/content/files/1614164c51144a---52077851495.pdfIn PDF document text
    • https://amkboiler.com/wp-content/plugins/super-forms/uploads/php/files/2lo4vilc2f21b2a9vfa2dlqq6d/xatamogisovubifaz.pdfIn PDF document text
    • http://bluebirdcanada.com/FileData/ckfinder/files/20210905_872F64EFF65A2E8C.pdfIn PDF document text
    • http://cesishotel.lv/res/wysiwyg/file/bedefun.pdfIn PDF document text
    • https://ncfouting.com/wp-content/plugins/formcraft/file-upload/server/content/files/161427a7d2adc7---vewukilupijajaseregiz.pdfIn PDF document text
    • http://szyoujin.com/UploadFile/file/20210919045138581.pdfIn PDF document text
    • http://gandolfiarchitetti.com/userfiles/files/tiwomapulibo.pdfIn PDF document text
    • https://ooo-kenk.ru/userfiles/file/miwabifelozanabiva.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/6naE_Nh8_CY/uplcv?utm_term=worm+zone+io+voracious+snakePDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bd9a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBD9A 10560 bytes
SHA-256: 5682452a43bce16c8feb84ab9a567774d040bea25d285a0219cd7a359cff6a05
font_01_sfnt_off0000d5bb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD5BB 17036 bytes
SHA-256: 5f34630b29aadad59299d880665ebdda831b2de036ffc43e043b66a17c76a7eb
font_02_sfnt_off0001019d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1019D 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
polyglot_child_pdf_off0001253a.pdf polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x1253A 300531 bytes
SHA-256: f2a2a53be72ad01eb69009d33468eff73da049d2183dd8bf8d8fb6d462d03646
Detection
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Obfuscation or payload: unlikely
polyglot_child_pdf_off00024a74.pdf polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x24A74 225465 bytes
SHA-256: 6dbfb92aa5d87aaac476d56d8bc055092748d5fa028f992cb046606d5c63f7c5
Detection
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Obfuscation or payload: unlikely
polyglot_child_pdf_off00036fae.pdf polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x36FAE 150399 bytes
SHA-256: 36f3201163f329a8fe1c53bbfeb4a83162de59249630dc2ddacb29e81edda1c5
Detection
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Obfuscation or payload: unlikely
polyglot_child_pdf_off000494e8.pdf polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x494E8 75333 bytes
SHA-256: f5995ea2cbd3f66507c82a62b16e406284ad6f48bed1a55bcb57a675e26ee691
Detection
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.