Malicious PDF — malware analysis report

Static analysis result for SHA-256 06a30dac13e6fa5b…

MALICIOUS

PDF

63.4 KB Created: 2021-10-11 01:50:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-25
MD5: d76facb8e3a0c3a008919feffb216b8c SHA-1: 38d632c2670859cccbc9cf1c27f62ced78e64504 SHA-256: 06a30dac13e6fa5b6b97bbdc60676e18f1ff4f8f00b77bfafc7718abecc123af
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. Heuristics indicate the document functions as a link farm, directing users to multiple external URLs, some hosted on compromised CMS uploads or disposable domains. The presence of numerous PDF_URI and PDF_SEO_DISPOSABLE_LINK_FARM firings strongly suggests the document's primary purpose is to redirect users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9077

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://garglob.ru/uplcv?utm_term=high+yield+meaning PDF link annotation
    • https://mimpisiluman.com/contents/files/zigawelevufidak.pdfIn PDF document text
    • https://techinnsrl.com/writable/public/userfiles/file/vemotedo.pdfIn PDF document text
    • https://mingyi-lock.com/data/file/userfiles/files/ralozavuwixexuka.pdfIn PDF document text
    • http://spain-ex.com/images/blog/file/nolifufavosepugu.pdfIn PDF document text
    • http://bettynblue.com/upload/fck_img/20211010/file/22144483824.pdfIn PDF document text
    • https://www.web2business.pt/wp-content/plugins/formcraft/file-upload/server/content/files/16141bc44d0c8f---71085858493.pdfIn PDF document text
    • https://bloomland.com/sites/bloomland.com/files/20892351116.pdfIn PDF document text
    • https://bankubezpieczen.pl/userfiles/file/junakoda.pdfIn PDF document text
    • https://intervalhousehamilton.org/ckfinder/userfiles/files/fivomokadegube.pdfIn PDF document text
    • http://3handseg.com/wp-content/plugins/formcraft/file-upload/server/content/files/16141db1803bb4---jevitera.pdfIn PDF document text
    • http://www.facyt.com.ar/ckfinder/userfiles/files/36623218880.pdfIn PDF document text
    • http://www.highlandmetals.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/161504b37784e4---37590797732.pdfIn PDF document text
    • http://findmealocalpainter.com/insurazon/admin/userfiles/file/19192804770.pdfIn PDF document text
    • https://www.entornopublicitario.com/wp-content/plugins/super-forms/uploads/php/files/01f633ef145cb3d6fbb0b1275ea5fdda/basufifoj.pdfIn PDF document text
    • http://trivio.it/userfiles/files/womal.pdfIn PDF document text
    • https://www.barrau-philippe-sedeco.fr/ckfinder/userfiles/files/82200792063.pdfIn PDF document text
    • http://galluccifaibano.it/userfiles/file/78783816103.pdfIn PDF document text
    • https://www.verpoort-bouw.be/wp-content/plugins/formcraft/file-upload/server/content/files/161353f581d71f---jojow.pdfIn PDF document text
    • https://seas2010.cienciaevida.pt/site/upload/file/pefuzowufunixufabowiki.pdfIn PDF document text
    • http://dierenwinkelindex.nl/images/uploads/90541772014.pdfIn PDF document text
    • https://heatingboiler.ca/fck_upload/file/baruzatilisutubozowa.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000de5d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDE5D 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1