Malicious PDF — malware analysis report

Static analysis result for SHA-256 fa84e88323414a82…

MALICIOUS

PDF

85.1 KB Created: 2021-07-20 11:11:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: 4e1c61a1c271e73a39604ec763434459 SHA-1: 33a6417b2f31d9924cbb9021e9b3c7981707cd0f SHA-256: fa84e88323414a82bed253bbd838596c23e6f1c613153027521936d17559f1e0
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links pointing to compromised websites, indicating a phishing or malware distribution attempt. The ClamAV detection and ML classifier strongly suggest malicious intent. The file likely exploits a PDF vulnerability to redirect the user to one of the listed URLs, which are hosted on compromised CMS platforms.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9849

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jetaime-shop.com/files/godutu.pdf In PDF document text
    • https://www.opdrrustukalac.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d5d5c9485eb---vowot.pdfIn PDF document text
    • https://prospr.fr/ckfinder/userfiles/files/sawogifiburumiravir.pdfIn PDF document text
    • http://countrysquirefoods.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b41c130c0ca---26402067500.pdfIn PDF document text
    • https://jodhpurtravels.com/nbloom/fckuploads/file/52740599435.pdfIn PDF document text
    • http://hakkabrothers.com/userfiles/file///95115238431.pdfIn PDF document text
    • http://www.aadhar-interior.com/userfiles/file/9078954336.pdfIn PDF document text
    • http://www.franklinwebdesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/160abbbef7e57c---34046044517.pdfIn PDF document text
    • https://cradlegold.com/wp-content/plugins/super-forms/uploads/php/files/dn8nre4qshieiuekrk3euphd2e/zupufi.pdfIn PDF document text
    • https://allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/547d91a2f1e095ff7df825b953dc5056/32264717948.pdfIn PDF document text
    • http://rusiuojigalvoji.lt/wp-content/plugins/formcraft/file-upload/server/content/files/1608cf64fcaff1---40599969645.pdfIn PDF document text
    • http://pastoret.it/userfiles/files/9641515978.pdfIn PDF document text
    • https://www.marbelitesa.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1606e6b7fa0fd7---pojufutomaniw.pdfIn PDF document text
    • http://pphu-joanna.pl/fckpliki/file/49248772186.pdfIn PDF document text
    • http://gitishahjahanpur.org/ckfinder/userfiles/files/75060169289.pdfIn PDF document text
    • https://cedarcreeksauce.com/wp-content/plugins/super-forms/uploads/php/files/3a8bd46d1bf8954739ebe562cd2ca70d/58699147765.pdfIn PDF document text
    • https://www.breastcancerfoundation.in/wp-content/plugins/super-forms/uploads/php/files/eacbc1a4745e963ca3549d6254429344/56672198044.pdfIn PDF document text
    • http://balogmihaly.hu/UserFiles/file/20374490955.pdfIn PDF document text
    • http://handbook.hu/upload/page/file/67023456593.pdfIn PDF document text
    • https://hopefor.today/wp-content/plugins/super-forms/uploads/php/files/dba9ca1642c7ae6b10efc98cf0699ca9/72040047437.pdfIn PDF document text
    • http://abwplazaview.com/uploads/files/33266487021.pdfIn PDF document text
    • http://macautemple.com/userfiles/file/72808157415.pdfIn PDF document text
    • http://aliancegroup.su/wp-content/plugins/formcraft/file-upload/server/content/files/160948f419e9e8---zubovukimuju.pdfIn PDF document text
    • http://makingthegradetexas.com/clients/d/d4/d4716c73f098ea79da165a2194b6736a/File/70154521118.pdfIn PDF document text
    • http://www.fullmooneye.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d66374cf3e9---luxurufu.pdfIn PDF document text
    • https://limpjet.com.br/wp-content/plugins/super-forms/uploads/php/files/b48e1444a5577d7e5c05096d613d7bc8/46812151880.pdfIn PDF document text
    • https://www.jahnigterbraak.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160b28b860de5a---fesafuzilobakulemo.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/ngfLrbzwjls/uplcv?utm_term=risk+for+infection+related+to+pneumoniaPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea67.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEA67 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0001027e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1027E 11016 bytes
SHA-256: 667a843f73f05c6f37cbc9f19c62f9c895c3ad7a325b83d5710f1b02a2e57c4b
font_02_sfnt_off00011c16.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11C16 16428 bytes
SHA-256: cb36bd5842bb0c5b2f3fa6de47879c675ce68faa11f6b4f0b699ff325a38b047