Malicious PDF — malware analysis report

Static analysis result for SHA-256 02ac90bc3f28eb0e…

MALICIOUS

PDF

117.9 KB Created: 2021-08-29 01:58:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: 7f897ee3aee791c2ceb91763e7783576 SHA-1: 8567036507b68705f14785adae312e9bd47c914c SHA-256: 02ac90bc3f28eb0ed495cccf1994b746e67bc9f603bea8d6522dd3201168293e
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm pointing to numerous URLs, many hosted on compromised WordPress sites and disposable domains. This structure is indicative of a phishing or malware distribution campaign, aiming to lure users to malicious content. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports this assessment.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3559

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://theeultimatenetworker.com/ckfinder/userfiles/files/98608183570.pdf In PDF document text
    • http://vegasoft.hr/wp-content/plugins/formcraft/file-upload/server/content/files/161205102ee35a---89999452615.pdfIn PDF document text
    • http://metrokentakifinan.com/resimler/files/dadelodutefiboxusigilaxa.pdfIn PDF document text
    • https://otdelkamos.ru/wp-content/plugins/super-forms/uploads/php/files/900d739bde860fbb2370e7878b820364/90358973497.pdfIn PDF document text
    • https://www.gs-gleichmann.de/wp-content/plugins/formcraft/file-upload/server/content/files/160e88fe8ed789---wukutapuvafirosoz.pdfIn PDF document text
    • http://conwaychristian.org/wp-content/plugins/formcraft/file-upload/server/content/files/160bfb71cce565---25574128893.pdfIn PDF document text
    • http://debsecond.net/UserFiles/File/10781427063.pdfIn PDF document text
    • https://doublehair.center/upload/ckfinder/files/zurixagugolerubazekuje.pdfIn PDF document text
    • https://studiogreenwich.ru/wp-content/plugins/super-forms/uploads/php/files/6b96707d6ecd7e7e409921459c7818f2/doketapupokeremubetug.pdfIn PDF document text
    • http://sunnysidehighschoolclassof59.com/clients/867562/File/78734117359.pdfIn PDF document text
    • http://dogninja.com/userfiles/files/46346549795.pdfIn PDF document text
    • https://www.finestkindcharter.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a2d71924d48---nixesatodisiwer.pdfIn PDF document text
    • https://artbynela.com/uploads/file/sunus.pdfIn PDF document text
    • http://tysons-cafe.com/uploads/files/tuwosusinogilorakaseg.pdfIn PDF document text
    • http://www.segurosfacility.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607a87ef11e61---98083236663.pdfIn PDF document text
    • https://glowskincare.net/wp-content/plugins/super-forms/uploads/php/files/364f48ec4e721f967d2cfbbae0d34296/76889266512.pdfIn PDF document text
    • https://bikinibody.be/wp-content/plugins/super-forms/uploads/php/files/l6dg4edf9cpar64s5ntgfea7bh/jotixusewosezajejal.pdfIn PDF document text
    • http://e-skala.pl/userfiles/file/8784602481.pdfIn PDF document text
    • https://www.osteopathe-montpellier-sud.fr/ckfinder/userfiles/files/guwekakama.pdfIn PDF document text
    • http://jullien38.com/ressource/site-image/files/tupekirelalof.pdfIn PDF document text
    • http://aryajob.com/user_upload/file/76845456246.pdfIn PDF document text
    • https://aguiapromocional.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160ae10cd91f5b---ronevetivewatunuxifaka.pdfIn PDF document text
    • http://vilaportugal.com/wp-content/plugins/formcraft/file-upload/server/content/files/160afa66fd09b7---besumafewov.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/FevRqgeaUVY/uplcv?utm_term=carl+jung+mdrPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017c6c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17C6C 19624 bytes
SHA-256: 68d64e8464a8c1dd515b1f164c58d8c879eea7874f3feea29f3524e48704beb5
font_01_sfnt_off0001af47.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1AF47 10244 bytes
SHA-256: 206894b2c47464092fe0cca7cd755e63d8b298dfe875c35b0a167fe3ad355dbb