Malicious PDF — malware analysis report

Static analysis result for SHA-256 0062573a96edf558…

MALICIOUS

PDF

67.9 KB Created: 2021-09-07 20:06:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-05
MD5: c41588f3abdbf1a75021475a9d8480f4 SHA-1: affa7d4660e4c75526d8a445e35278a56df580a5 SHA-256: 0062573a96edf5585b2620a5961646820df6d1316bba3dafc6498365718cb155
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. Heuristics reveal it functions as a link farm, containing numerous URLs pointing to compromised WordPress sites. These links likely serve as a distribution mechanism for phishing or malware, leveraging common vulnerabilities in website plugins.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9130

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://husvagnsexpo.se/wp-content/plugins/formcraft/file-upload/server/content/files/1611258f5ae04b---78502089981.pdf In PDF document text
    • https://qualitylightsolutions.com/wp-content/plugins/super-forms/uploads/php/files/e9d4d3d83d1f254bb21181e7c3a69278/kexobu.pdfIn PDF document text
    • https://whitelightdesign.com/wp-content/plugins/super-forms/uploads/php/files/b9ac6ae1fe44a9dd1f0f97191f318ed9/8027931147.pdfIn PDF document text
    • http://www.cuerpomenteyespiritu.es/wp-content/plugins/formcraft/file-upload/server/content/files/160b4acfec7693---fozidodozemodaw.pdfIn PDF document text
    • https://miamivanservice.net/wp-content/plugins/formcraft/file-upload/server/content/files/1611a11e264d95---fibege.pdfIn PDF document text
    • https://www.properties-thassos.com/wp-content/plugins/super-forms/uploads/php/files/santgehjobjs48vkopu819dpeo/67351694332.pdfIn PDF document text
    • https://fishuntpesca.it/file/58240935395.pdfIn PDF document text
    • https://vhcvietnam.vn/ckeditor/images/files/70830285057.pdfIn PDF document text
    • http://megat.pl/uploaded/fck_files/file/38101550324.pdfIn PDF document text
    • http://jubileejec.com/userfiles/files/rozijajivikesegalemana.pdfIn PDF document text
    • http://miryangpension.com/FileData/ckfinder/files/20210802_8B2E5AC92F4E19FF.pdfIn PDF document text
    • https://hotelristorantenovecento.it/wp-content/plugins/super-forms/uploads/php/files/c107b6fa16228255e295be74d330d6cb/dejoropemunel.pdfIn PDF document text
    • https://cvssteelex.com/ckfinder/userfiles/files/xamomekekokaluganexozila.pdfIn PDF document text
    • http://kovove-ploty-brany-zabradli.cz/UserFiles/File/fubezedagugomilikaxim.pdfIn PDF document text
    • http://zovsh.com/Uploadfiles/files/68169432648.pdfIn PDF document text
    • https://yarsan.ru/wp-content/plugins/super-forms/uploads/php/files/9a43f3b1da3622f3fe1ce8d4581e6464/tedatelezanabuwaz.pdfIn PDF document text
    • https://fajndoktor.cz/images/file/files/49213468466.pdfIn PDF document text
    • http://centreforeffectivecoaching.com/media/file/nodatitokimurutikuwixipe.pdfIn PDF document text
    • http://langeline.com/ckeditor/upload/files/43272884837.pdfIn PDF document text
    • https://backcountryplayground.com/wp-content/plugins/super-forms/uploads/php/files/b6fb37ddaa4bbc0c8e9b63b36f7ed19d/winoka.pdfIn PDF document text
    • https://ascinfratech.com/clientprojects/trading/file/pujefinomewuxatix.pdfIn PDF document text
    • http://www.thelawchamber.com/wp-content/plugins/formcraft/file-upload/server/content/files/161220257ec8d0---jigezedifitilajagesiguwaw.pdfIn PDF document text
    • https://sellerflows.com/wp-content/plugins/super-forms/uploads/php/files/84dd487a944428bc5400c700be3a9174/zodovorezanetegotixovas.pdfIn PDF document text
    • https://www.vedaaz.com/wp-content/plugins/super-forms/uploads/php/files/bdb38d99466337098def596885c3727d/neberawisufatezikudelawu.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1KS0DP0cxss/uplcv?utm_term=human+physiology+class+11+notes+pdfPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea43.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEA43 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1