Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff659c385cefe662…

MALICIOUS

PDF

83.2 KB Created: 2021-09-06 19:44:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 5fd606e970d900464636760c95610844 SHA-1: c3aef755bf46617f51793a5a2a66ea1f3baae319 SHA-256: ff659c385cefe662306f84c2e6a0c78d0ea0c3c00eba60ecc89bdffa2c5e42fe
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by multiple heuristics as malicious, including a critical ClamAV detection and an ML classifier. It functions as a link farm, directing users to numerous URLs hosted on compromised WordPress sites, which is a common tactic for phishing or distributing further malware. The presence of external URIs and link farm characteristics strongly suggests an intent to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://thepetrichortouch.com/wp-content/plugins/super-forms/uploads/php/files/655rv9l819h2oh297676fjgeqv/12003296187.pdf
    • https://www.amiunaorchestra.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160c376dc20275---ratajuxuxozep.pdf
    • https://tractorpulling-emmeloord.nl/upload/file/fozawowu.pdf
    • https://citytrafik.nu/images/file/90880898699.pdf
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d8bdb26889f---61802330536.pdf
    • https://www.adcgrain.com/wp-content/plugins/super-forms/uploads/php/files/80c9a7fe71939eead636411764dc30c5/xupabedagimoxenifiwuzu.pdf
    • http://rapabzenec.cz/obrazky/files/44699415326.pdf
    • https://best-turbos.com/wp-content/plugins/super-forms/uploads/php/files/6b74e0d01d3bec2a7041c6cca3bbc37d/79866245630.pdf
    • http://manufim.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/16081e4a91f3bb---xuloxekizedepetoxereluse.pdf
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160956b2664a46---juxivegabevixafigurix.pdf
    • https://teenvolunteerdallas.org/wp-content/plugins/super-forms/uploads/php/files/60a9827ae150d4bda55a9cb7e5e1dbce/75892232706.pdf
    • https://eandjfamilyhealthcenter.com/wp-content/plugins/super-forms/uploads/php/files/57251f86bfec639cf33b90160a1da956/81593907547.pdf
    • https://alcc.vn/wp-content/plugins/super-forms/uploads/php/files/fckog655tno5mvg7sm8ik1lour/17519656924.pdf
    • https://acrgroup.nl/userfiles/file/kubitaf.pdf
    • http://imobiliariaimperio.com/files/files/27405052088.pdf
    • http://artetendasud.it/userfiles/files/zugobudit.pdf
    • http://ecbpolska.pl/wp-content/plugins/super-forms/uploads/php/files/b252f179fc34368d974d9216ad2ac668/380739000.pdf
    • https://lemarko.com/userfiles/file/54191129675.pdf
    • http://novaserv.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c7535b221c---basotidowajujakizeba.pdf
    • http://binhchuachay.info/Images_upload/files/63239353035.pdf
    • https://g4m3s-4p1-12s1.com/contents/files/bepizavo.pdf
    • https://smallislandcurry.com/wp-content/plugins/super-forms/uploads/php/files/51f142e0b6d275e3b301901aabaa42a9/gemitavu.pdf
    • http://www.lnk-creation.fr/upload/file/pimubex.pdf
    • http://anabakorea.jp/userfiles/file/98134036484.pdf
    • https://ottenburger.com/userfiles/file/82822688376.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/BkSY9tpko7c/uplcv?utm_term=comment+r%C3%A9duire+taille+pdf+en+ligne
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dc0f.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDC0F 16792 bytes
font_01_sfnt_off0000f426.bin
73f9924f47cbc470c73a3d90a21705473e19a90c5ac10c9b9d905f360c8285d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF426 10960 bytes
font_02_sfnt_off00010cf7.bin
f4eb4b734a0a6a027dc043b8a993f1695ff8ded95ac1cd45e1d18138cb38781e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CF7 18740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.