Malicious PDF — malware analysis report

Static analysis result for SHA-256 fe5e9e549dac3168…

MALICIOUS

PDF

82.4 KB Created: 2021-09-11 17:04:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: ead29ffb7e48acc86e2e312465b87108 SHA-1: 531256ed4a3ad3fdb9b951e5e06e5c2485a4fd64 SHA-256: fe5e9e549dac316893fb7c57c002573b07eaf77357f011055b03e420eb6522a8
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript, which is a common technique for exploiting vulnerabilities or redirecting users to malicious sites. Several heuristics indicate the PDF is part of a link farm hosted on potentially compromised or disposable domains, suggesting a phishing or malware distribution campaign. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9951

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://rotterdampools.com/contents/files/vofojomefete.pdf In PDF document text
    • http://orderkai.com/uploads/files/70134531603.pdfIn PDF document text
    • https://all-stage-meditation.tw/uploads/files/6139b446040a2.pdfIn PDF document text
    • https://fertilizergranulatorprice.com/d/files/4220664163.pdfIn PDF document text
    • https://www.wroclawmodelshow.pl/ckfinder/userfiles/files/tenapulaboreriwova.pdfIn PDF document text
    • http://cardealer-space.com/js/upload/files/gadonadix.pdfIn PDF document text
    • https://silverlabpupsforsale.com/userfiles/files/fovidaj.pdfIn PDF document text
    • http://pastoret.it/userfiles/files/9531821294.pdfIn PDF document text
    • http://cnsgawefgl.netsociality.com/upload/files/29596607148.pdfIn PDF document text
    • https://shotclock.ca/wp-content/plugins/super-forms/uploads/php/files/02c0bcb0cff433a8d813e15e5ce26c77/34428611859.pdfIn PDF document text
    • https://highlander-inn.com/assets/userfiles/files/duwejemewevegagetajugijo.pdfIn PDF document text
    • http://www.creativitaecomunicazione.it/js/lib/ckfinder/userfiles/files/kowubefeb.pdfIn PDF document text
    • https://wonkingchina.com/d/files/89713712570.pdfIn PDF document text
    • http://szkolaprzybranowo.pl/ckfinder/userfiles/files/15032435555.pdfIn PDF document text
    • http://suliaok.com/v15/Upload/file/202191638221753.pdfIn PDF document text
    • https://gonguyenkhoi.vn/upload/files/26419141250.pdfIn PDF document text
    • http://lexen.ca/userfiles/files/42174153830.pdfIn PDF document text
    • http://24hnbc.com/assets/ckfinder/core/connector/php/uploads/files/razewunefajamolakoriped.pdfIn PDF document text
    • http://www.hollyskauaicondo.com/wp-content/plugins/formcraft/file-upload/server/content/files/16131a42e69006---xometebapab.pdfIn PDF document text
    • https://sportnazona.bg/f/uploads/files/jinaveluvexedu.pdfIn PDF document text
    • http://europeanprofservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/161317596dc0e5---25233794101.pdfIn PDF document text
    • https://alquimia.in/admin/fckeditor/editorfile/79298340194.pdfIn PDF document text
    • https://wanfutemple.urwaydesign.com/data/file/userfiles/files/dizumadib.pdfIn PDF document text
    • http://fusen-es.info/yamituki-n/uploads/files/32268197670.pdfIn PDF document text
    • http://unseenadventure.com/userfiles/file/kosezopubozivifadogevizab.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/GLLx1DTH0VQ/uplcv?utm_term=kindle+user+manual+pdfPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dcac.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDCAC 10532 bytes
SHA-256: c28438d8c0c2e015b105a3e22ba0e59a3e12d28f2c09e4fd46ae5d63815a22b4
font_01_sfnt_off0000f488.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF488 18296 bytes
SHA-256: aa6c2f0154f45943c5bc0b079b759a4250ca2a718ff5887ecea78aa13d5e1461
font_02_sfnt_off0001243a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1243A 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1