Malicious PDF — malware analysis report

Static analysis result for SHA-256 031ece9665a17f2c…

MALICIOUS

PDF

44.3 KB Created: 2021-08-18 10:34:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26
MD5: 25bcb3d02d7bc79b983c2fac2e895a26 SHA-1: aafb6546ade13b818e68f7d48b7a476867ff92c0 SHA-256: 031ece9665a17f2c1205460bdbc83b53f6a280b5367cc6a3582486763467670a
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and a significant number of URLs, many pointing to disposable hosting or compromised CMS uploads, indicating a link farm designed to redirect users. The ClamAV detection and ML classifier strongly suggest malicious intent, likely for phishing or distributing further malware. The embedded JavaScript is a common technique for executing malicious code within PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7152

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://laborke.ru/uplcv?utm_term=vw+golf+mk6+1.4+tsi+service+manual PDF link annotation
    • http://maysoi.com/hinhanh_fckeditor/file/600790693.pdfIn PDF document text
    • http://optimus.org.au/wp-content/plugins/formcraft/file-upload/server/content/files/1609eed25c1fd0---xisazikidug.pdfIn PDF document text
    • http://sarljarry.fr/userfiles/file/83027724202.pdfIn PDF document text
    • https://ketgate.eu/wp-content/plugins/super-forms/uploads/php/files/c00ad1d4db7ba785a32e1afaf86801bb/99089336769.pdfIn PDF document text
    • http://sshs61.com/clients/6/60/60e739d5a8cf4a6710e4f064fd99417d/File/65208104451.pdfIn PDF document text
    • http://asalsold.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b344b69de1d---gogobofavuzedu.pdfIn PDF document text
    • http://slowjamsundays.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ba7e010806a---85157877470.pdfIn PDF document text
    • http://makaeximworld.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607080abc1cee---83961306863.pdfIn PDF document text
    • http://parkettes.org/clients/b/b3/b30d687fb0e6fb0c44210170e51784d9/File/7983193861.pdfIn PDF document text
    • https://kes-stv.ru/wp-content/plugins/super-forms/uploads/php/files/14deb4726c34e9e62f06b5c3f94e8fb2/78320550801.pdfIn PDF document text
    • http://studiotecnicobonoli.com/userfiles/files/83916923339.pdfIn PDF document text
    • https://www.helpfulhunks.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160ec4494d031a---10629007327.pdfIn PDF document text
    • http://www.provinces.cmcgeneralate.org/files/js/ckfinder/userfiles/files/derusinovonumaretaxin.pdfIn PDF document text
    • https://hv2barrier.com/application/third_party/ckfinder/userfiles/files/zagojosil.pdfIn PDF document text
    • http://mgocsm.in/userfiles/file/rifeduwavolafepitenelaron.pdfIn PDF document text
    • http://messtores.ca/fck_user_files/file/xemewidowar.pdfIn PDF document text
    • https://anandamsanyal.com/userfiles/file/lodujiwozoduwib.pdfIn PDF document text
    • http://www.orarestauratorisaf.it/wp-content/plugins/formcraft/file-upload/server/content/files/1608b18245dc48---32554157645.pdfIn PDF document text
    • https://www.acptechnologies.com/wp-content/plugins/formcraft/file-upload/server/content/files/160f146cca941a---maralexewifanopar.pdfIn PDF document text
    • https://facades-metal.ch/ckfinder/userfiles/files/duremuxexis.pdfIn PDF document text
    • http://palenice.net/obrazky_clanky/file/85694574931.pdfIn PDF document text
    • http://www.whirlpool-beachcomber.at/wp-content/plugins/formcraft/file-upload/server/content/files/161048a95efc7e---77643038428.pdfIn PDF document text
    • https://etimes.mn/uploads/files/juxovamoxunowi.pdfIn PDF document text
    • http://border-inn.com/CKEdit/upload/files/sararerakamivip.pdfIn PDF document text