Malicious PDF — malware analysis report

Static analysis result for SHA-256 fc49a487ccc33305…

MALICIOUS

PDF

81.7 KB Created: 2021-07-23 02:55:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-14
MD5: cc9ec6709e3f7c2cca90933367543d8a SHA-1: 4320fe7cccd3f4f3bddd32efae936a35ea502c06 SHA-256: fc49a487ccc33305f826a5cbec677cc8710a497bcd55f7294427bce023aec5e8
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. Heuristics indicate it contains numerous links to compromised WordPress upload directories and disposable hosting, suggesting it's part of a link farm designed to redirect users to malicious content. The primary malicious URL identified is http://www.sunarnuricomuisvealisverismerkezi.com/wp-content/plugins/super-forms/uploads/php/files/gc4vpk5cvjgttqnk4fmb84dbb6/18886617776.pdf.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9981

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://weddingdiy.cc/uploadfiles/files/20210628_045232_7123.pdf In PDF document text
    • http://festivaldeliteraturadepereira.com/wp-content/plugins/formcraft/file-upload/server/content/files/16077b7e4eb42f---lomorokitusufezit.pdfIn PDF document text
    • https://csom.cz/wp-content/plugins/super-forms/uploads/php/files/8d551f69c965270e0e3d226beb86c9c9/pesalovezamufefulibus.pdfIn PDF document text
    • https://paloaltospeakerseries.com/wp-content/plugins/super-forms/uploads/php/files/80fd53d55e056a4a4a20a8be37414690/komejavapujoxa.pdfIn PDF document text
    • https://hijaustabilo.com/contents//files/86865972239.pdfIn PDF document text
    • https://akproauto.net/nbloom/fckuploads/file/rukomadipigepovomolepidu.pdfIn PDF document text
    • http://qboardapp.com/wp-content/plugins/super-forms/uploads/php/files/5248f717381ecb6903e22164a0fa60df/gulijisubutuxopapanupukiz.pdfIn PDF document text
    • http://botanicgardenscafe.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1609cf8f8ae2c5---54909004406.pdfIn PDF document text
    • https://hightechrustremovers.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1606f6db08dd8e---xumafaj.pdfIn PDF document text
    • https://amatnieks.lv/pictures/image/zatezileberepido.pdfIn PDF document text
    • https://nhaban24h.com.vn/wp-content/plugins/super-forms/uploads/php/files/vt15ikhptjdc9nfgp05tgpscif/tunuxufagikiwatuf.pdfIn PDF document text
    • http://fra2ange.it/userfiles/files/90106697831.pdfIn PDF document text
    • https://www.tangelo.no/wp-content/plugins/formcraft/file-upload/server/content/files/1608d77eb48257---1751406083.pdfIn PDF document text
    • http://bioterapiazabiegi.pl/obrazy/file/dazijuvarepex.pdfIn PDF document text
    • https://chp-travel.ir/data/file/dititubekevadejinu.pdfIn PDF document text
    • http://timnhanhonline.com/upload/files/mojijasizafegukesapub.pdfIn PDF document text
    • http://cnex.cc/images/blog//file/35885616984.pdfIn PDF document text
    • https://semineebrasov.ro/printuri-fi/files/99753713567.pdfIn PDF document text
    • http://www.sunarnuricomuisvealisverismerkezi.com/wp-content/plugins/super-forms/uploads/php/files/gc4vpk5cvjgttqnk4fmb84dbb6/18886617776.pdfIn PDF document text
    • https://schilderlesvakantie.nl/ckfinder/userfiles/files/boxejari.pdfIn PDF document text
    • https://whitelightdesign.com/wp-content/plugins/super-forms/uploads/php/files/f055efd51792e521eb66fd97e3577de4/8112885940.pdfIn PDF document text
    • http://www.driftime.ee/wp-content/plugins/formcraft/file-upload/server/content/files/16081edd083476---87230162057.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/6naE_Nh8_CY/uplcv?utm_term=find+the+factors+of+15PDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dc01.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDC01 17404 bytes
SHA-256: 9a6b22341dc82229e8595fd945a345896983c9d9edd92840cda222ca878da8e8
font_01_sfnt_off000108e3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x108E3 10688 bytes
SHA-256: 86eab9e2ad67fe6f27464f2464c31a54ea28e53816511ba5241ab2f2c6672c37
font_02_sfnt_off00012163.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12163 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1