Malicious PDF — malware analysis report

Static analysis result for SHA-256 f60af49ae4317dfa…

MALICIOUS

PDF

89.2 KB Created: 2021-07-22 10:11:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-13
MD5: 8976b2d772a092ed0133db2350b20e8e SHA-1: d7ba025518fabfa18064c048864dc146db026771 SHA-256: f60af49ae4317dfaaa73bb3473f1ba6e32fcf31cf7f31b4ae0684352026da76b
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier. It contains a link farm pointing to multiple compromised CMS upload storage locations, suggesting an attempt to host malicious content. The presence of external URIs and a download button lure indicates a likely phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9886

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.olympusnorge.no/wp-content/plugins/super-forms/uploads/php/files/5osi43uu5eph2l5b7ie2hp4nk4/71572275765.pdf In PDF document text
    • https://birudongker.com/contents//files/bebamipiza.pdfIn PDF document text
    • http://lalinpress.es/ckfinder/userfiles/files/simanibazufo.pdfIn PDF document text
    • http://comicpapyrus.com/wp-content/plugins/super-forms/uploads/php/files/02435c6eed27f3cd11248e31a9210ce8/suxebiwujimibos.pdfIn PDF document text
    • https://www.citysecurity.org.uk/wp-content/plugins/super-forms/uploads/php/files/6d5dkuuf2q2gmh2287c09q87gf/kezowalutajejume.pdfIn PDF document text
    • http://www.jimenez-casquet.com/wp-content/plugins/formcraft/file-upload/server/content/files/160743d394ee15---54531934924.pdfIn PDF document text
    • https://intelean.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607efb2f698bb---62224046542.pdfIn PDF document text
    • https://edoxmarketing.com/wp-content/plugins/super-forms/uploads/php/files/4aless2c76vm54k9vntkogb2om/lawisotebulukefobulap.pdfIn PDF document text
    • http://www.ambredore.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f372df17c4---rusobiwamodozofaj.pdfIn PDF document text
    • http://www.x454.com/wp-content/plugins/super-forms/uploads/php/files/esdd2nkg0rvb3ak4l4igg0gu84/34104644703.pdfIn PDF document text
    • http://www.fullertherapy.com/wp-content/plugins/formcraft/file-upload/server/content/files/16085d716c0e0b---28532048229.pdfIn PDF document text
    • https://plswa.com/wp-content/plugins/super-forms/uploads/php/files/c22c0dafb9f6231d986d52036418557d/52869813393.pdfIn PDF document text
    • https://bya-ingenieria.com/ckfinder/userfiles/files/lonodosimevemexusakuv.pdfIn PDF document text
    • https://northstarexecutivesearch.com/wp-content/plugins/super-forms/uploads/php/files/67478d2d046b11c43f9363227f18b75e/55835884592.pdfIn PDF document text
    • https://traveltokiev.com/wp-content/plugins/super-forms/uploads/php/files/hpt6kpk8tg33of9hntmn85diq7/71421495815.pdfIn PDF document text
    • http://baharemadinah.com/wp-content/plugins/formcraft/file-upload/server/content/files/160968777db765---pubidorozivote.pdfIn PDF document text
    • http://blueyee.com/upload/file/200448274444.pdfIn PDF document text
    • http://agrobud.net/uploaded/file/21052486978.pdfIn PDF document text
    • https://miaousland.fr/ckfinder/userfiles/files/jofizujutawotedut.pdfIn PDF document text
    • https://acethamessecurity.co.uk/wp-content/plugins/super-forms/uploads/php/files/e38ee8177eb77b808c8ffdfd452cf3de/36669988670.pdfIn PDF document text
    • https://bank-kredit.at/ckfinder/userfiles/files/pezonadiwot.pdfIn PDF document text
    • http://for-rent-leuven.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087e8b475226---41282479762.pdfIn PDF document text
    • https://www.emma-solutions.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607faf9647757---22984573595.pdfIn PDF document text
    • https://ipcare.nl/wp-content/plugins/super-forms/uploads/php/files/jsknhrbfsbh580ibdm7d4pb3qr/zazoxazomepe.pdfIn PDF document text
    • http://www.stockholmswingallstars.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b9d149ef149---61189097750.pdfIn PDF document text
    • http://onishi-kyosendo.jp/archive/mokorusadi.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/ngfLrbzwjls/uplcv?utm_term=step+by+step+how+to+draw+a+batPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f6b8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF6B8 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off00010eca.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10ECA 17212 bytes
SHA-256: 5f17461f89feec59fe317da28278e66b3b20c31a56e6fb8f4f27519300586d5b
font_02_sfnt_off00013b86.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13B86 10660 bytes
SHA-256: 4088f138b739b6054156d50f737cb4f2513ee8531c9bbed70ba6d7f888f72438