Malicious PDF — malware analysis report

Static analysis result for SHA-256 008c73db3d4eb55e…

MALICIOUS

PDF

61.6 KB Created: 2021-05-20 21:59:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 04096e4420376e4e2d61d6717b01a6c6 SHA-1: 9b7a5dd186ca7db1356093ab66f5bd106d9e91dc SHA-256: 008c73db3d4eb55ef05957b539d98e00f03fd83ec61f91a1b1a58e2012528cab
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan threat. It contains numerous links to compromised WordPress sites, suggesting it's part of a link farm designed to distribute further malicious content. The document body, though partially corrupted, appears to be a lure for downloading a resume or similar document, likely to trick users into executing a malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8151

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cructi.ru/uplcv?utm_term=hoja+de+vida+minerva+10+03+para+descargar+en+word
    • http://www.cuerpomenteyespiritu.es/wp-content/plugins/formcraft/file-upload/server/content/files/160814c5cab410---73151132216.pdf
    • http://informerfitness.com/wp-content/plugins/super-forms/uploads/php/files/2ad7576a71f32bf761eafcf9da56f5b8/xejadijidegigoxelu.pdf
    • https://medgarlci.com/wp-content/plugins/super-forms/uploads/php/files/d3204713e43fea203020fcdd7c464598/bexetezug.pdf
    • https://wurstfargo.com/wp-content/plugins/super-forms/uploads/php/files/9e8025e27316ba9b0ee45b1852654ef9/34828024852.pdf
    • https://teenvolunteerdallas.org/wp-content/plugins/super-forms/uploads/php/files/264e3ce066ab781814e150407851dbbc/22473683445.pdf
    • https://ph2020.org/FCKeditor/file/jabaf.pdf
    • https://medok18.ru/wp-content/plugins/super-forms/uploads/php/files/a862224d6cfe35e9939669467a18ae3b/23390575504.pdf
    • https://spherule.org/wp-content/plugins/super-forms/uploads/php/files/1fd54dd883150bad5f1d46cb49471a38/62518632361.pdf
    • https://www.scanworld.se/wp-content/plugins/formcraft/file-upload/server/content/files/1607376e704ba9---15539930962.pdf
    • http://www.sunargrup.com.tr/wp-content/plugins/super-forms/uploads/php/files/8o32ietohh4s79jabg6qq7q236/juxupiniturufig.pdf
    • https://inlandautorepairmurrietaca.com/wp-content/plugins/super-forms/uploads/php/files/e9387bda914e3bc22b20ee3440e23444/muluwokazitesawujetatuve.pdf
    • http://ash-graphy.com/userfiles/file/94051337978.pdf
    • https://666666.vn/upload/fck/file/joridovadugukixabijapig.pdf
    • http://shosholoza.de/file/betukojamoporafefaruj.pdf
    • http://say-international.eu/userfiles/file/48719317898.pdf
    • http://for-rent-aalst.com/wp-content/plugins/formcraft/file-upload/server/content/files/160897a9e7302b---nibesa.pdf
    • https://www.businesswatchguardingservices.co.uk/wp-content/plugins/super-forms/uploads/php/files/auhvvu829r5c6osc1a2djpf3na/kigegeti.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ce2f.bin
d3013ed48bb9083f3c2adbb67196e9520e99085f9eebbaac047e60b5915f20fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCE2F 5908 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.