Malicious PDF — malware analysis report

Static analysis result for SHA-256 001f2c01ac3bccce…

MALICIOUS

PDF

84.6 KB Created: 2021-06-13 01:25:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-07
MD5: af9ae1284b9afbdc69a9e2d86275d3db SHA-1: 816ed43a58c03ee27369a1039833e0fdd09b583d SHA-256: 001f2c01ac3bccceb5b2de8e52201261eb542d100cc3f4aff4df729a698fb93b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged by multiple heuristics and a machine learning classifier as malicious, with ClamAV identifying it as a phishing trojan. The document contains a large number of embedded URLs, many pointing to compromised WordPress sites, suggesting it functions as a link farm for phishing or malware distribution. The presence of a URL with a 'utm_term' parameter indicates a potential tracking mechanism for user engagement with the lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9579

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crewmak.ru/uplcv?utm_term=motu+patlu+motu+patlu+ka+cartoon PDF link annotation
    • http://plenaadoracao.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16098704457b1e---gedigewe.pdfIn PDF document text
    • http://www.kissdocs.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160bbb0d7e4ac0---surarafodakavororanew.pdfIn PDF document text
    • https://rffsev.ru/wp-content/plugins/super-forms/uploads/php/files/6cf14692457754af64f1a0ac29e5ebfb/lokawepugonisaraxo.pdfIn PDF document text
    • http://europeanprofservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606ce5f7dc4a3---68596859370.pdfIn PDF document text
    • https://quaint-house.com/74053910974.pdfIn PDF document text
    • https://storage-in-motion.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a14ff132eab---25657443503.pdfIn PDF document text
    • https://mithermomix.com.mx/wp-content/plugins/super-forms/uploads/php/files/d13c403ca0bb83cc8235172f3fde1254/82840875982.pdfIn PDF document text
    • https://avgdesign.com/userfiles/file/binirimimimexadorul.pdfIn PDF document text
    • https://www.growxponential.com/wp-content/plugins/super-forms/uploads/php/files/orugn4ogso8vrfdve35k1j3jg7/60752057094.pdfIn PDF document text
    • https://rhythmcprandfirstaid.com/wp-content/plugins/super-forms/uploads/php/files/74bd9d714095b499c4dea028e0cad888/ketokupojekiwozogu.pdfIn PDF document text
    • http://dermalab.pl/userfiles/file/32370786987.pdfIn PDF document text
    • https://finances-canada.com/wp-content/plugins/super-forms/uploads/php/files/18ba2ce5992f6a91e18bc16ef796afa4/xexopofanewoguvawuguv.pdfIn PDF document text
    • https://advicezone.org.uk/wp-content/plugins/super-forms/uploads/php/files/v4bb93gljoqtnr2udmj99r4b1s/73469672985.pdfIn PDF document text
    • http://hjtech.org/admin/upfile/file/jegudijijug.pdfIn PDF document text
    • https://shinyjewellers.com/wp-content/plugins/super-forms/uploads/php/files/58dl0n40403ek2vhou8omnqts4/subikuwudunexixodajob.pdfIn PDF document text
    • http://villaturri.it/wp-content/plugins/formcraft/file-upload/server/content/files/16081fde1ca827---55825158636.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013186.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13186 4968 bytes
SHA-256: c6e11e8d000d0c01854eef11c0ca6dc94e7414df49c2735e2d0718f2811e6484

Open this report in the interactive analyzer, or submit your own file for analysis.