Malicious PDF — malware analysis report

Static analysis result for SHA-256 f84d64a753ee06da…

MALICIOUS

PDF

90.4 KB Created: 2021-07-18 19:05:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-13
MD5: 77ca220bc465f2799e18804acce06c30 SHA-1: ccc2813649d3df8eecac7d5855a7d63ab9c2c870 SHA-256: f84d64a753ee06daf2eff787cf9af0f0593f16bcafd9608304140f742b541325
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning model indicated a high probability of maliciousness. It contains numerous links, many pointing to compromised WordPress uploads, suggesting a link farm or redirection tactic. One notable URL, http://www.agrosystem.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1609e0d5986317---fumus.pdf, is identified as a compromised CMS upload. While no scripts were explicitly extracted, the PDF structure and link farm behavior are indicative of malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.agrosystem.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1609e0d5986317---fumus.pdf In PDF document text
    • http://waypl.pl/upload/File/20145396083.pdfIn PDF document text
    • https://californiaoptionsrealestate.com/wp-content/plugins/super-forms/uploads/php/files/c8d325e148ba94d8071261c86ad8ea87/90213071046.pdfIn PDF document text
    • https://123kozijnofferte.nl/wp-content/plugins/super-forms/uploads/php/files/3unpuai1jqo1f387g19ee4mep5/10730084528.pdfIn PDF document text
    • http://classicalgardenfountains.com/uplds/file/53971464847.pdfIn PDF document text
    • http://architects-desk.com/uploadsfile/94563053636.pdfIn PDF document text
    • https://digireg.sk/upload/zegijifuvazolufipusomob.pdfIn PDF document text
    • https://www.fecomerciomg.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/160a3a1284ecd2---64971156859.pdfIn PDF document text
    • http://therealmccoyfamilyreunion.com/clients/f/f9/f9ea119420dddc0cc5ac7622830b9f68/File/kivubelo.pdfIn PDF document text
    • https://poolpoint.be/uploads/file/mibiposegot.pdfIn PDF document text
    • https://propbrains.com/wp-content/plugins/super-forms/uploads/php/files/s0pvi69rfjq460phcqgijjesn4/1318281561.pdfIn PDF document text
    • http://sgpeo.pl/users//file/zewun.pdfIn PDF document text
    • https://www.pietri-automobiles.com/wp-content/plugins/super-forms/uploads/php/files/t74naege95vugvn8vhukvf2fe1/sulofedenosewopovosuw.pdfIn PDF document text
    • http://sevoir.hu/uploads/file/joxeji.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/3vuEKuznOb8/uplcv?utm_term=love+of+money+is+the+root+of+all+evil+scripturePDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fd4c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFD4C 10984 bytes
SHA-256: 855a63c555c73e0d0d780d61e225e9588ae66bf5689191b4eefa300cb3c1695d
font_01_sfnt_off000116aa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x116AA 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00012ebc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12EBC 17016 bytes
SHA-256: 6f6669850255c36ee2e167bf3a92fe935ae25f9e2be21e71a54a4bc5220af20d