Malicious PDF — malware analysis report

Static analysis result for SHA-256 f78be071ff3ffd95…

MALICIOUS

PDF

350.7 KB Created: 2021-07-17 09:57:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 8e795f65a7c522f091b545d738e43644 SHA-1: 2d47a140c551c6fb5ef4bb8db402482de1f3265d SHA-256: f78be071ff3ffd95c02c3600198851b83936a0ce64718f10bc1b112941160804
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link farm pointing to multiple compromised WordPress sites, likely intended to host and distribute malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing trojan. Although no scripts were directly extracted, the presence of numerous external links suggests a downloader or redirector pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9784

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://limpjet.com.br/wp-content/plugins/super-forms/uploads/php/files/8f2154e5be07e213983c8ea8e0bf3412/49318762495.pdf
    • https://thejasmineway.net/wp-content/plugins/super-forms/uploads/php/files/7gomt1ujv3phmd25lj9ak2mg2r/65144564681.pdf
    • https://www.c2commercial.com/wp-content/plugins/super-forms/uploads/php/files/447ff06e6a5d272522a2347755d90237/27067088285.pdf
    • http://adhdadvisory.com/wp-content/plugins/formcraft/file-upload/server/content/files/160724e0b60a50---41342280759.pdf
    • http://www.adanakursmerkezi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160f1be0ab5ef0---7635820906.pdf
    • https://matrainagycsalados.hu/userfiles/file/duzonitexuxuguto.pdf
    • http://ankamet.com/userfiles/file/vozuzo.pdf
    • http://taxicityplus.ru/userfiles/file/75638479455.pdf
    • https://realwebguys.com/wp-content/plugins/formcraft/file-upload/server/content/files/160968e24aa7eb---77673732298.pdf
    • http://lookkorea.net/userfiles/file/27675776975.pdf
    • http://biosafety.biz/ckfinder/userfiles/files/bevimu.pdf
    • http://erkerlaender.de/wp-content/plugins/formcraft/file-upload/server/content/files/160934f15537f4---vananikomebexorutirolovok.pdf
    • https://www.die-umzugsfabrik.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ddc3068e153---43504672941.pdf
    • https://kes-stv.ru/wp-content/plugins/super-forms/uploads/php/files/72f10fac1cb4a932ad352ca5db3ae916/41666269544.pdf
    • https://ocvirapuato.com.mx/wp-content/plugins/super-forms/uploads/php/files/e8bdf80ba3eb54f90a9a44217a606bfb/36781190449.pdf
    • http://wignaccent.com/FCKeditor_2.6.3/userimages/file/20210712092723.pdf
    • http://drkoopman.nl/cmsimages/file/1343592219.pdf
    • https://getlovebooks.com/wp-content/plugins/super-forms/uploads/php/files/f7b57b5869e2f1b866e8f28a997a9f94/zolukizuno.pdf
    • http://poexali.org/static/image/_u/system/files/61683813715.pdf
    • https://www.die-umzugsfabrik.com/wp-content/plugins/formcraft/file-upload/server/content/files/16093a875a3535---24221178789.pdf
    • https://www.femregenx.co.za/wp-content/plugins/super-forms/uploads/php/files/2n2uatrnc1mathdub8tjn6qtpk/74655953979.pdf
    • https://aryaayur.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c57f17b6779---gefesewagixo.pdf
    • https://gaseg.com/wp-content/plugins/super-forms/uploads/php/files/7j0p0k0jlh1fsmqhuf1v5h0ofc/152924375.pdf
    • https://cplastik.cz/data/cms/file/58790555843.pdf
    • http://mcleod-bobbitt.com/clients/64742/File/11105566365.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/FevRqgeaUVY/uplcv?utm_term=yow+to+syr
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000513b2.bin
02f243b166540bf8fa6c2ef6214dff2d52ba83f20ff6a22e55fb886cda7e0125		 pdf-font-stream PDF embedded font (sfnt) at offset 0x513B2 16916 bytes
font_01_sfnt_off00053ea2.bin
c9b6a94a5e4405df33c529365f66774e748d9a07cc67a152c724e07c5837f94d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53EA2 9748 bytes
font_02_sfnt_off00055415.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55415 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.