Malicious PDF — malware analysis report

Static analysis result for SHA-256 f9a06dd11325fc93…

MALICIOUS

PDF

84.1 KB Created: 2021-07-14 02:23:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-13
MD5: 38ef27680c4d89a57cfc3ff6d0d2d3df SHA-1: c48cbe4c520b8c3360942a569eab0942afbf2e3e SHA-256: f9a06dd11325fc934b163eae00c26e431a24df7d2dbf6cfc7838cfa805435dc5
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was flagged by ML classifiers and ClamAV as malicious, exhibiting characteristics of a phishing and trojan delivery mechanism. The 'SE_CLICKFIX' heuristic indicates the document employs social engineering to trick users into executing commands, likely to download and execute a second-stage payload from one of the numerous embedded URLs. The presence of multiple compromised CMS upload links and link farms further supports its role as a distribution point for malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9860

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://infrive.ru/uplcv?utm_term=convert+mbr+to+gpt+without+operating+system PDF link annotation
    • https://massagetheory.ca/wp-content/plugins/super-forms/uploads/php/files/8ba7074142cca61c0ac8708ed173a34e/83129354019.pdfIn PDF document text
    • http://caryhigh1987.com/clients/41333/File/8058104994.pdfIn PDF document text
    • https://vieclamhanoi247.com/upload/files/zesarilebeka.pdfIn PDF document text
    • https://leunamgroup.com/wp-content/plugins/super-forms/uploads/php/files/34c1ba114b5ac8f4cd52e1bb53f3a9d6/64215197345.pdfIn PDF document text
    • https://minutesnap.com/wp-content/plugins/super-forms/uploads/php/files/4d36e05a446d033872a6e2f6e8f17841/zifizijarefowexuvivev.pdfIn PDF document text
    • http://www.phonefixcomo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606cbf5ce96cd---vusinazedonapona.pdfIn PDF document text
    • https://audreyheselmans.com/_files/file/rilebuvefexerigegogaki.pdfIn PDF document text
    • http://asijskepotraviny.cz/files/file/41914871584.pdfIn PDF document text
    • https://retentionstudentexperience.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f06ed84370---piveb.pdfIn PDF document text
    • https://dispomydeal.com/wp-content/plugins/super-forms/uploads/php/files/6a2a98c8c9be3fbd917d8a11d12c5e9f/vudotujurejiwibatap.pdfIn PDF document text
    • https://www.xcelsus.de/wp-content/plugins/formcraft/file-upload/server/content/files/160e1c54705489---fepavaxojikujeral.pdfIn PDF document text
    • https://xn--64-mlcufjjaii0l.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/4fa9074115a44eccd02127d98b8dbf18/lafajipifekowite.pdfIn PDF document text
    • https://www.dekleinewerf.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160c52a6194b63---vuwagopirorarasom.pdfIn PDF document text
    • http://kimhoatra.com/upload/fckimagesfile/vanasusesegokotumifavego.pdfIn PDF document text
    • https://xn--78-6kce7dfhb9dwb.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/98e26c7fbba3a09a39cb98b1c60200df/sowimanes.pdfIn PDF document text
    • https://rrvchefs.com/wp-content/plugins/super-forms/uploads/php/files/e69545688fee94cdc2f21433d66184ee/11146242795.pdfIn PDF document text
    • http://griswoldremgmt.com/uploads/files/wikelukepisekujo.pdfIn PDF document text
    • https://sckstone.com/wp-content/plugins/super-forms/uploads/php/files/036d8009171cf9e00a456fb6b7f33c75/balumanamixudow.pdfIn PDF document text
    • http://www.moteco.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160801a805260d---3346330552.pdfIn PDF document text
    • http://clearlakesd.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607bab9d214b4---83908207180.pdfIn PDF document text
    • https://samtee.com/admin/images/file/14029371674.pdfIn PDF document text
    • http://erkerlaender.de/wp-content/plugins/formcraft/file-upload/server/content/files/1606cc0d5112d9---pedotimupozoz.pdfIn PDF document text
    • https://playgametoday.ru/wp-content/plugins/super-forms/uploads/php/files/621328e1a27ef0ad979672bf65bd8c40/52015325834.pdfIn PDF document text
    • http://akbmodel.com/wp-content/plugins/formcraft/file-upload/server/content/files/16070c89208417---96176403573.pdfIn PDF document text
    • https://gaseg.com/wp-content/plugins/super-forms/uploads/php/files/2d1qbqm6fgttfto855pu4vl9rv/13820087253.pdfIn PDF document text
    • https://jdbailbonds.com/wp-content/plugins/super-forms/uploads/php/files/b6e19352c6fb16cd8c38aeb8d838129b/39030486656.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e433.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE433 17076 bytes
SHA-256: 500b6dfa41609b5d57489b6c02f732db080df78147adc480f4b03aaeab13f4c3
font_01_sfnt_off000110b8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x110B8 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off000128cf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x128CF 11192 bytes
SHA-256: 84c5d3d97447e85f927d78410ec9e29149b57c28ce209e7e1afca8975ce89df6