Malicious PDF — malware analysis report

Static analysis result for SHA-256 f458bf09b47af8e3…

MALICIOUS

PDF

70.8 KB Created: 2021-06-12 08:42:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0cd9e171dba02a2add9df7a1ba3fef88 SHA-1: 657751fd162a4d170a080608115cbfd97876c7d6 SHA-256: f458bf09b47af8e393f52adc2b67fb15b16b4ee1e0de2ef0fa186d951cad50fe
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF contains embedded JavaScript and a significant number of external links, many pointing to compromised websites or disposable hosting. The embedded JavaScript likely facilitates the redirection or download of further malicious content. The overall structure suggests a phishing or malware distribution attempt disguised as a download link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://smidgel.ru/uplcv?utm_term=duncan+balaclava+full+album+download+zip
    • http://nakatka.com/files/file/6207150492.pdf
    • https://binarbaidservices.com/public_html/userfiles/file/zizopovosotelakulewo.pdf
    • http://theydeserveastamp.org/wp-content/plugins/formcraft/file-upload/server/content/files/160aed777a0769---fejizutogidujoralow.pdf
    • http://www.oschouston.com/osc/wp-content/plugins/formcraft/file-upload/server/content/files/160aaa4783d7cd---38999551666.pdf
    • http://fashioncenterpoint.com/wp-content/plugins/super-forms/uploads/php/files/c692147d5d4af70fe523e836a6af619b/zubaz.pdf
    • http://aimic.com/userfiles/file/jalupof.pdf
    • https://www.sodigital.it/wp-content/plugins/formcraft/file-upload/server/content/files/160882b966dd1a---96804444051.pdf
    • https://motionslam.com/wp-content/plugins/super-forms/uploads/php/files/f83b69682969edffa9cfb8ab46c2cd2f/27396392018.pdf
    • http://www.contectrade.hu/fckfiles/file/73722425087.pdf
    • http://peaceinsrilanka.lk/userfiles/file/favagutorimebobibisagozaw.pdf
    • https://siphouse96.com/wp-content/plugins/super-forms/uploads/php/files/2883f4052602f2fe7021bb340922a305/77451910074.pdf
    • https://aterhesseg.com/up_image/file/jexixusajonosovazinunedu.pdf
    • http://www.peplex.it/wp-content/plugins/formcraft/file-upload/server/content/files/1607a07f4aa758---73477305054.pdf
    • https://dmddsgn.com/wp-content/plugins/super-forms/uploads/php/files/7fd354faf04a95f97991011e28b403f2/93257054021.pdf
    • https://sdyh.gr/wp-content/plugins/super-forms/uploads/php/files/aftjlo5743mvi54sqmfgne32c6/77764647849.pdf
    • https://luxmarketing.agency/wp-content/plugins/super-forms/uploads/php/files/d0nbu8tjeus4elbbe2eta11mbr/wixifekofogomopadexezaro.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d252.bin
90d346746b2b13511867bc24cd9e52668e0262b3d25164788ba6fd0f53c457bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD252 5368 bytes
font_01_sfnt_off0000e4ad.bin
b8c0beabe510b710982e8b43d0c4c4f022d2b5642a2dcde8a53ddf97f0e7f19f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE4AD 11824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.