Malicious PDF — malware analysis report

Static analysis result for SHA-256 05d3fa7fc0079b2d…

MALICIOUS

PDF

57.0 KB Created: 2021-06-03 18:08:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 63fdd9a0a1ab12035ae3ca431c7a7e82 SHA-1: 171bbf0e5c79885771a9f657dae290ccb68e50a7 SHA-256: 05d3fa7fc0079b2d1718ae24cd0d743230ed02f2bb6809850dd1dd84f64f71af
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous links pointing to compromised WordPress sites, indicating a link farm designed to redirect users. The presence of PRC/3D content and a high ML classifier score further support its malicious nature. ClamAV identified it as Pdf.Phishing.Trojan, suggesting a phishing or malware distribution intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9755

Heuristics 6

  • PRC/3D content in PDF medium CVE related PDF_PRC_3D
    PDF contains PRC 3D content. PRC/U3D parsers have been a recurring Adobe Reader attack surface; treat as a related parser-exploit indicator rather than a specific CVE match.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nek.ua/wp-content/plugins/formcraft/file-upload/server/content/files/160a9433b25c28---zigevaxedupopip.pdf
    • http://www.cuerpomenteyespiritu.es/wp-content/plugins/formcraft/file-upload/server/content/files/16093e477a46f0---25895961308.pdf
    • https://teenvolunteerhouston.com/wp-content/plugins/super-forms/uploads/php/files/941e9f0e9d6690a5a0ea77897fcb6ed6/35503237594.pdf
    • https://ailani.org/wp-content/plugins/super-forms/uploads/php/files/58e148a260cf05a34a70cca0e418dab5/rabepenutifuwi.pdf
    • http://www.putnamtaxi.net/wp-content/plugins/formcraft/file-upload/server/content/files/1608830da9536c---91028695441.pdf
    • https://bykevin.com/wp-content/plugins/super-forms/uploads/php/files/4912276bdb097c17d5587022bd3a8056/rumulinarusitag.pdf
    • http://uat.ideadunes.com/projects/ideadunes-portfolio-site/wp-content/plugins/formcraft/file-upload/server/content/files/1608c1933627b7---dosegufisojafomugerot.pdf
    • http://www.melodypods.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c8b31e493d---58124751965.pdf
    • https://www.kiteschule-kiel.de/wp-content/plugins/formcraft/file-upload/server/content/files/16080d5b25751a---tozokobevinegaje.pdf
    • http://adoriantarla.ro/wp-content/plugins/formcraft/file-upload/server/content/files/16089247813f57---tejodimudojoxunogapofanor.pdf
    • https://wcdt.co.th/wp-content/plugins/super-forms/uploads/php/files/p9d2i2slgfdf6e2og9r7sf4reg/15681973626.pdf
    • http://www.cargeacrew.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1608e444b917cd---63881432972.pdf
    • http://arcomproltd.com/userfiles/file/suzetexomowemarub.pdf
    • https://refour.dk/wp-content/plugins/super-forms/uploads/php/files/279defc8e2ebd2c8d7b5edfdce28de0e/duliruw.pdf
    • https://www.sodigital.it/wp-content/plugins/formcraft/file-upload/server/content/files/16089989b1df54---12369556877.pdf
    • http://davidhammerstein.org/userfiles/file/gubefapajenajoxobikuwos.pdf
    • https://londonvipchauffeur.co.uk/wp-content/plugins/super-forms/uploads/php/files/43dbe7721d77bdc1f3b9f0524e3a5b9d/tofal.pdf
    • https://pima-alarms.net/slicice/file/55558611965.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/Uplcv/~3/S30rS-6n6vg/uplcv?utm_term=baby+shower+emoji+pictionary+game+answers
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ca1e.bin
31f048f23bd242e2a6ffd071866192861cfec5bcd20d6592dd6bd86f3d46e300		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCA1E 5564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.