Malicious PDF — malware analysis report

Static analysis result for SHA-256 fe731868e48bc71c…

MALICIOUS

PDF

84.0 KB Created: 2021-09-12 22:45:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26
MD5: 36d9233968cf2e1b9c45aff1452561ce SHA-1: 899ee0cc04aa201fdd9d8d5c67074b4ec2ab1078 SHA-256: fe731868e48bc71cfa76d4db53f6efa35d0691cfc03bd7b3a67d5200aa8dfc83
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is a PDF document containing embedded JavaScript and a significant number of external URIs. Several heuristics indicate that these URIs are part of a link farm hosted on compromised WordPress sites, suggesting a phishing or redirection attempt. The ML classifier and ClamAV detection strongly support the malicious nature of this file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9877

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://moma-restaurant.com/wp-content/plugins/formcraft/file-upload/server/content/files/161366d48db006---vakulugonizasitaki.pdf In PDF document text
    • https://araprinter.com/ckfinder/userfiles/files/juxonifixasafiti.pdfIn PDF document text
    • http://reutlinger.pl/userfiles/file/maxipekutedar.pdfIn PDF document text
    • http://gimhaejazz.com/fckeditor/userfiles/image/96404760374.pdfIn PDF document text
    • http://toroisg.com/public/images/files/35264859799.pdfIn PDF document text
    • http://palazzodiaz.com/userfiles/files/82377995892.pdfIn PDF document text
    • https://movie2book.com/userfiles/file/fuzebimebakujad.pdfIn PDF document text
    • http://kieryk.pl/img/userfiles/file/zofalilomapubo.pdfIn PDF document text
    • http://konyanincigkoftecisi.com/userfiles/file/muwibivilurisejaxo.pdfIn PDF document text
    • https://uangraja.com/contents/files/95193605859.pdfIn PDF document text
    • https://christianklein.eu/Quansis/ckfinder/userfiles/files/wuwuzoke.pdfIn PDF document text
    • http://robfredo.com/userfiles/file/tivesotet.pdfIn PDF document text
    • http://www.mvdisposal.com/wp-content/plugins/formcraft/file-upload/server/content/files/16138ef3025159---golujulukuw.pdfIn PDF document text
    • https://beaufortbond.com/wp-content/plugins/super-forms/uploads/php/files/4c7c26d4149077ecc96d789b5102ced3/tuxuvuferilaxuli.pdfIn PDF document text
    • https://ecoinkworld.com/wp-content/plugins/super-forms/uploads/php/files/abf411a03573aa4469ec15f9970123db/bijakurulopusifuva.pdfIn PDF document text
    • https://simbhaolipower.com/images/file/voziko.pdfIn PDF document text
    • http://duszek-lasu.pl/userfiles/file/janusovetedenipaw.pdfIn PDF document text
    • http://www.yoko-ono.be/images/userfiles/file/vafobiwimujasugokunamesu.pdfIn PDF document text
    • https://tradingphrases.com/userfiles/files/sewovotevopilobesinaxi.pdfIn PDF document text
    • https://marikakozmetika.hu/editor_up/2871630100.pdfIn PDF document text
    • http://jawarakreasi.com/file/14012588816.pdfIn PDF document text
    • http://wawabed.pl/uploads/userfiles/file/62408184199.pdfIn PDF document text
    • https://serihosting.com/calisma2/files/uploads/rabozuvod.pdfIn PDF document text
    • http://ikuma-car.com/js/upload/files/zimatexufitimukisowutid.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/LPIa9PGmDLg/uplcv?utm_term=how+to+logout+messenger+on+androidPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000be29.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBE29 1868 bytes
SHA-256: b44e304f4199d162c520aa61e4565b27969aa952fa2ee1db3f4cf671ae1a9eb8
font_01_sfnt_off0000c6e1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC6E1 10768 bytes
SHA-256: 566ca8e4b73190113dde8bf350dcda91c11e92f45e79dc17dad39b3f8430f6d6
font_02_sfnt_off0000df74.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDF74 20612 bytes
SHA-256: d7ca0490c1a360acb97c18ec97e91ef5a444e4b95bc50cb67163434460bee8e7
font_03_sfnt_off000113e5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x113E5 16104 bytes
SHA-256: 4204f4a647e3e8488fc3125e36d68471fcc515b787f7ef36a685bb1e406e82a7
font_04_sfnt_off00012930.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12930 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.