Malicious PDF — malware analysis report

Static analysis result for SHA-256 fd3daa1d96a8c2ea…

MALICIOUS

PDF

76.9 KB Created: 2021-08-11 21:46:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-16
MD5: a42de1f1c53b8bb2f71b4e9fee7c944e SHA-1: cf00c436fbe494fae945576c840f76b9fc0307d2 SHA-256: fd3daa1d96a8c2ea7276069df665733f5a0861bfc77cc0457c1bb792fc5acfc4
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and numerous external links, many pointing to compromised WordPress sites or disposable hosting, suggesting it's part of a phishing or scam campaign. The 'SE_CALLBACK_LURE' heuristic specifically indicates a callback phishing pretext, aiming to trick the user into calling a fraudulent number. The ML classifier and ClamAV detection further support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9973

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://theclubburger.com/uploads/files/dukusudobusez.pdf In PDF document text
    • http://bundoreh.com/fckeditor/files/file/rotewep.pdfIn PDF document text
    • http://theydeserveastamp.org/wp-content/plugins/formcraft/file-upload/server/content/files/160e098c33bab0---68562885308.pdfIn PDF document text
    • https://michaels-limo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b7b85ec0959---jikol.pdfIn PDF document text
    • https://bilalyapidekorasyon.com/userfiles/file/sesisivo.pdfIn PDF document text
    • https://nulifeus.com/~nulife/userfiles/file/8181829273.pdfIn PDF document text
    • http://dietmoiquangle.com/webroot/img/files/61545177301.pdfIn PDF document text
    • http://rockhouseschool.com/rockhouse/uploads/files/molup.pdfIn PDF document text
    • http://maduraicaterers.com/app/webroot/js/ckfinder/userfiles/files/mikipul.pdfIn PDF document text
    • https://adiwirawanbali.com/wp-content/plugins/super-forms/uploads/php/files/37f41c76f0d213c6b22b32114b9a119f/tidafanojifikavodopijibux.pdfIn PDF document text
    • http://sammyurias.com/userfiles/files/11594499706.pdfIn PDF document text
    • https://abril.pe/wp-content/plugins/super-forms/uploads/php/files/ipeo9jt9s9h139bnbrqdfap3gi/64620983843.pdfIn PDF document text
    • http://www.smwiarus.pl/ckfinder/userfiles/files/70054643706.pdfIn PDF document text
    • http://aksaaydinlatma.com/img/editor/image/file/98218232946.pdfIn PDF document text
    • https://www.elektrobetrieb-scholz.de/wp-content/plugins/formcraft/file-upload/server/content/files/160b0e2515a5a2---tebuxo.pdfIn PDF document text
    • https://mandalaconfeccao.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16084b8043b4c4---21206780514.pdfIn PDF document text
    • http://www.colegiometa.net/home/wp-content/plugins/formcraft/file-upload/server/content/files/16076ec5d6bdb5---89195028951.pdfIn PDF document text
    • https://brazilairporttransfers.com/ckfinder/userfiles/files/28544790905.pdfIn PDF document text
    • http://pantryscan.com/123cars/imagefck/file/68002137092.pdfIn PDF document text
    • http://www.pianoszimmermann.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16080fd1b9023a---pupamijupenofegixoragoki.pdfIn PDF document text
    • https://www.webhisto.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160b1245bef4d7---karuwi.pdfIn PDF document text
    • http://osteriadelcampanile.com/userfiles/files/bajejezevokame.pdfIn PDF document text
    • http://omonetach.pl/foto/ilustracje/file/xojesurazawoxidavugusezil.pdfIn PDF document text
    • http://www.deadclan.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160749a1fa11b0---timutunetufuletole.pdfIn PDF document text
    • http://tv-kitchen.ru/files/files/gasejaluwibaxoveden.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BkSY9tpko7c/uplcv?utm_term=bossier+parish+inmate+mugshotsPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c7e0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC7E0 10808 bytes
SHA-256: 9062630123789bcc106478797867e4be989957fb6fe3e664fe4211c5b06fd72e
font_01_sfnt_off0000e09f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE09F 16920 bytes
SHA-256: 8e1cda054ad444d70a3ecdd57055e1f1bd16dd93c0efd8fcee9e08eb5e01e2e4
font_02_sfnt_off00010c00.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10C00 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.