Malicious PDF — malware analysis report

Static analysis result for SHA-256 f4bdbd45ab30784a…

MALICIOUS

PDF

80.7 KB Created: 2021-09-03 16:08:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: 2ea8891fc721bfbff8f114df3fde9453 SHA-1: 0cb8e372ca1a31135dab6d7c385e3c604175e7ac SHA-256: f4bdbd45ab30784aad7368e573dd622c1c52135a01dabb452a269188a29661bb
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains a link farm with numerous URLs pointing to compromised WordPress sites, likely serving as a lure for users to download further malicious content or visit phishing pages. While no scripts were directly extracted, the PDF structure and link farm indicate a phishing or redirection attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9968

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://geology.ie/wp-content/plugins/formcraft/file-upload/server/content/files/16126fa771c2c6---tajikowagalokisidejogex.pdf In PDF document text
    • https://estidevelopers.com/wp-content/plugins/super-forms/uploads/php/files/3219f3c3863992eb54a7c5531ff3c986/jiruzuputedu.pdfIn PDF document text
    • http://moyamoya.center/images/hand_uploaded/files/leguwoxadevuvolovaguvo.pdfIn PDF document text
    • http://alphasigmaoverseas.com/userfiles/file/56946420132.pdfIn PDF document text
    • http://thegibbsfamilyreunion.com/clients/d/d9/d929505c7faf6263097cc97620c39d65/File/99801764135.pdfIn PDF document text
    • http://lammermoor.net/imagenes/file/91969600127.pdfIn PDF document text
    • https://kocarbonag.com/luutru/files/9272344344.pdfIn PDF document text
    • https://ventana-sur.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609c55d38f0af.pdfIn PDF document text
    • http://calliopegoodrich.com/clients/73417/File/42915777485.pdfIn PDF document text
    • https://empylean.com/wp-content/plugins/super-forms/uploads/php/files/o9r4vigr96sfdob6lmmfs9k0vc/voxojojolakelominanew.pdfIn PDF document text
    • http://www.reroofingbrisbaneqld.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1606f64a9c0992---73912070708.pdfIn PDF document text
    • https://thaiahpa.com/flash/files/57964995339.pdfIn PDF document text
    • http://www.ashtralmedia.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a4ec9b0de9c---40356509605.pdfIn PDF document text
    • http://mouaumfb.com/wp-content/plugins/formcraft/file-upload/server/content/files/16098a04f0919a---relog.pdfIn PDF document text
    • https://www.saenger-ohg.de/wp-content/plugins/formcraft/file-upload/server/content/files/16090c72ccb32b---61175001560.pdfIn PDF document text
    • http://adoriantarla.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1609d40e0d3c6b---rusevogoniwefoduzawar.pdfIn PDF document text
    • http://rakkhunnursinghome.com/user_img/files/nuzulufegunifagirabu.pdfIn PDF document text
    • https://chiataiec.com/userfiles/Proj_Name/files/mijufim.pdfIn PDF document text
    • https://felix-schulze.biz/wp-content/plugins/super-forms/uploads/php/files/vfobk9h2l0lp3761s0169pnq6e/31337159443.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bf8c5b4723f---39002384886.pdfIn PDF document text
    • https://suhrsmad.dk/wp-content/plugins/formcraft/file-upload/server/content/files/16126676337797---58603860583.pdfIn PDF document text
    • http://tranhdaquydep.vn/upload/files/85058655460.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/LPIa9PGmDLg/uplcv?utm_term=no+objection+certificate+format+in+marathi+pdfPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d6a8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD6A8 17416 bytes
SHA-256: f938f31435907efcad945292815a5f603230ec2fba8c0e1076b91cc462c18a74
font_01_sfnt_off0001043e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1043E 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00011c55.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11C55 10920 bytes
SHA-256: c23368b3b785ff1f4fe85184f27ec76e5466d4c9642abb5e059d8636461a9460