Malicious PDF — malware analysis report

Static analysis result for SHA-256 f3cac0ebdbbee3d8…

MALICIOUS

PDF

77.6 KB Created: 2021-06-12 23:37:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-24
MD5: 54e3f02297b663528df300de65c9ae1d SHA-1: 1ffd8036a27b84eded2f9165c95918e935ab7e39 SHA-256: f3cac0ebdbbee3d8da04530d512f279974c38dbbfa65406a4c9b3cc795c6d880
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link farm pointing to multiple compromised WordPress sites, likely intended to host malicious files. The heuristic firings indicate a malformed exploit stream and a high probability of maliciousness, with ClamAV detecting it as a phishing trojan. The embedded URLs suggest a lure for downloading software, potentially leading to further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9719

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://allytemp.ru/uplcv?utm_term=rom+pcsx2+download PDF link annotation
    • https://klingende-zeder.de/wp-content/plugins/formcraft/file-upload/server/content/files/1608be41e56429---zafobikekamagategovow.pdfIn PDF document text
    • http://montaze.org/democms/userfiles/file/93800015559.pdfIn PDF document text
    • https://gdr.co.il/wp-content/plugins/super-forms/uploads/php/files/9fc71e1d6f288ba74976ecb3f61c5c58/16984192686.pdfIn PDF document text
    • https://precisionautoandac.com/wp-content/plugins/super-forms/uploads/php/files/513f19a0162144046efa61c88fc7a400/85524392008.pdfIn PDF document text
    • https://perleyparish.org/wp-content/plugins/super-forms/uploads/php/files/b3ae02fba9f71de3f912c3141efc9416/57094262846.pdfIn PDF document text
    • http://scissortailfarms.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a41d59483a3---90636993771.pdfIn PDF document text
    • http://www.holderit.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607eb438d771b---juxivi.pdfIn PDF document text
    • https://husvagnsexpo.se/wp-content/plugins/formcraft/file-upload/server/content/files/1608d293dd15e1---35610922854.pdfIn PDF document text
    • https://aftaplan.com/works/peepsparty/html/upload_files/file/71266000880.pdfIn PDF document text
    • http://www.predoisiasociatii.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160a0b1e7a5c0f---xivorobuweru.pdfIn PDF document text
    • https://digidatadecolombia.com/wp-content/plugins/super-forms/uploads/php/files/30cdf793bd31d73c0adbefff0f808a92/fakigugafiluj.pdfIn PDF document text
    • http://windcampus.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607bb7b6dbee4---vilonedizijasusoso.pdfIn PDF document text
    • http://dhf-china.com/d/files/61601612788.pdfIn PDF document text
    • https://www.lesson-online.org/wp-content/plugins/super-forms/uploads/php/files/f17lhiimuiiknuoaq8bq54de00/90142015375.pdfIn PDF document text
    • https://www.sahabatkeluargahomecare.com/wp-content/plugins/formcraft/file-upload/server/content/files/16085da3abfd27---tevigasaguwil.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fc2f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFC2F 5424 bytes
SHA-256: 95e7e92f1cf3382431f12b119b554c38572e0d2ffd1ee674df8fc719a917a3b9
font_01_sfnt_off00010eaf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10EAF 12360 bytes
SHA-256: e17cab644c68810e476ae2984a293c7deae5d17ea70d98a0631dc345c527d901

Open this report in the interactive analyzer, or submit your own file for analysis.