Malicious PDF — malware analysis report

Static analysis result for SHA-256 034dddec3af83a70…

MALICIOUS

PDF

63.3 KB Created: 2021-09-21 12:20:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14
MD5: b5c7ed549672e375f302a5e576c3e754 SHA-1: 1d656f5badf0aaa9286d45a2ce99a62afe2f68a8 SHA-256: 034dddec3af83a700454f60bab0b664ce3ad570f54beb9ab07d0ad49bb1ace96
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains an embedded JavaScript stream and numerous external URIs, many of which point to compromised WordPress sites or disposable hosting. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' and 'PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM' strongly indicate a link farm intended to manipulate search results or redirect users to malicious content. The embedded JavaScript likely facilitates these redirects or further malicious actions.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7294

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://philabc.ru/uplcv?utm_term=android+11+tips+and+tricks PDF link annotation
    • http://www.mueblesgamez.com/ckfinder/userfiles/files/2158898526.pdfIn PDF document text
    • http://whitedwarf.ru/public/images/ckfinder/files/rebun.pdfIn PDF document text
    • http://mastera-mix.ru/ckfinder/userfiles/files/kudow.pdfIn PDF document text
    • https://buddingheights.org/wp-content/plugins/formcraft/file-upload/server/content/files/1612ec3363b06e---jaxidupibajuwerukot.pdfIn PDF document text
    • http://beijingteye.com/upload/files/16640179376.pdfIn PDF document text
    • http://langmoon.jp/js/upload/files/fuvufumanozenebarera.pdfIn PDF document text
    • https://stayinbranson.com/ckfinder/triplebuserfiles/file/lotelinusogiba.pdfIn PDF document text
    • http://edmo-cars.nl/images/file/xuluginunatuzawenuwami.pdfIn PDF document text
    • https://gamepinleri.net/calisma2/files/uploads/nopitijofulebisekinog.pdfIn PDF document text
    • http://svs-pm.com/wp-content/plugins/formcraft/file-upload/server/content/files/16142dad546684---dupigidubokepuna.pdfIn PDF document text
    • http://gro-felix.si/uploads/jovopuxelipuzulo.pdfIn PDF document text
    • http://kunas.lt/app/webroot/uploads/files/wosororiwidazox.pdfIn PDF document text
    • https://abhimaninteriors.com/ckfinder/userfiles/files/susuduwujujomukata.pdfIn PDF document text
    • https://peoplesmodelinternational.com/ckfinder/userfiles/files/38417973951.pdfIn PDF document text
    • http://les-dvorik.ru/userfiles/file/49826234526.pdfIn PDF document text
    • http://www.qookspot.kitchen/wp-content/plugins/formcraft/file-upload/server/content/files/1612fccdd0f825---31693352165.pdfIn PDF document text
    • https://pilot-nav.com/ckfinder/userfiles/files/45426175147.pdfIn PDF document text
    • https://k-newsletter.com/ckupload/files/42655782938.pdfIn PDF document text
    • http://imosa.asia/uploads/files/202109022321266288.pdfIn PDF document text
    • http://coomargroup.com/ckfinder/userfiles/files/pisurega.pdfIn PDF document text
    • https://ladachess.ru/userfiles/file/55314721330.pdfIn PDF document text
    • https://www.sabiamente.es/wp-content/plugins/formcraft/file-upload/server/content/files/1613ad49952dc9---garenexomalufuminir.pdfIn PDF document text
    • http://cx-gl.hu/images/files/38857895277.pdfIn PDF document text
    • https://orangerun.re/photo/files/jujot.pdfIn PDF document text
    • http://harringtonandlombardi.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/labexilarilijotibawekimu.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e9d9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE9D9 10452 bytes
SHA-256: b6485a3ebf8aadaedbd12e488c040c88d67a5b910b4c37c657d1f716b3ebcfdf

Open this report in the interactive analyzer, or submit your own file for analysis.