Malicious PDF — malware analysis report

Static analysis result for SHA-256 fa22102687231601…

MALICIOUS

PDF

83.7 KB Created: 2021-09-20 12:38:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: 590dc64d321d0eec1e67adc2fccec1ec SHA-1: ebae0b47e91fc50ac0da464b387c552bf2afecc7 SHA-256: fa221026872316011fceb15cc2ccd6aa6e6c9c71167b63d0342ae036a9c79266
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous embedded URLs, many of which point to compromised websites or disposable hosting, suggesting a phishing or malicious redirection scheme. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution via these links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://champagne-marc-chauvet.com/images/files/48044518560.pdf In PDF document text
    • https://homestayhoian.vn/uploads/image/files/97561854982.pdfIn PDF document text
    • http://archiw.gbpopatowiec.pl/img/upload/files/bategexoralimisubavo.pdfIn PDF document text
    • https://landlorddebtadvisory.com/wp-content/plugins/super-forms/uploads/php/files/3d3226bc778a35ba3fdf5c8d2b06f8a0/minupiliwinixi.pdfIn PDF document text
    • http://aihyang.com/userfiles/file/gakuzakedexokirawegokudul.pdfIn PDF document text
    • https://nyirfa.hu/uploads/files/74893742713.pdfIn PDF document text
    • http://tanphatinst.com/vietkiendo/upload/file/sozegedimofajemin.pdfIn PDF document text
    • http://ronaldtan.nl/images/photo/tuxugevifuz.pdfIn PDF document text
    • http://studiodugnani.it/userfiles/files/34630020508.pdfIn PDF document text
    • http://www.investing-in-women.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613380c4d063c---fefazovuwalejasokekafagi.pdfIn PDF document text
    • http://svatba-emi.com/uploads/pages/files/sadexapexekigog.pdfIn PDF document text
    • http://hyunshin.net/userfiles/file/83508102332.pdfIn PDF document text
    • https://nieruchomosciturystyczne.eu/files/file/fuxogurevo.pdfIn PDF document text
    • https://lisacutler.com/wp-content/plugins/formcraft/file-upload/server/content/files/16142072a4be36---bakuwamuf.pdfIn PDF document text
    • http://amidoux-peintures.com/ckfinder/userfiles/files/90342652620.pdfIn PDF document text
    • http://xperion.hu/wp-content/plugins/super-forms/uploads/php/files/e1d68d5253d8dcadac11e270dfaef347/soxevem.pdfIn PDF document text
    • https://www.golddustdental.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613d89ecb1c99---rubevazizezodazutu.pdfIn PDF document text
    • http://immobilieninvestors.net/userfiles/file/3540070875.pdfIn PDF document text
    • http://www.studiolegalefusimorelli.com/wp-content/plugins/formcraft/file-upload/server/content/files/16135f30c1a2bc---3788216606.pdfIn PDF document text
    • http://ajisushionline.com/uploads/files/linebaguruzinijatopi.pdfIn PDF document text
    • http://www.bluefashion.cz/ckfinder/userfiles/files/27192697727.pdfIn PDF document text
    • https://cfacgroup.com/uploads/FCK_files/file/bugixugozopukafi.pdfIn PDF document text
    • http://hoangminhphatkorea.com/webroot/img/files/nufotapujaxepugat.pdfIn PDF document text
    • http://www.cemeba.com/uploads/ckfinder/files/64304322391.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/S30rS-6n6vg/uplcv?utm_term=ip+configuration+failure+wifi+androidPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e294.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE294 17792 bytes
SHA-256: 94410119eba9398f38642282df0be020548bdc4e5ad7c097f4c09343129d30a9
font_01_sfnt_off00011030.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11030 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00012847.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12847 10764 bytes
SHA-256: 274de3ab7dc8dffc0e2b14c292d15d27c3b68d55a0bdcb9b27cd5e865035b40c