Malicious PDF — malware analysis report

Static analysis result for SHA-256 06bf857974860ec7…

MALICIOUS

PDF

81.8 KB Created: 2021-09-29 13:07:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-25
MD5: 5a2f4d0ac9b557e319eef5fc2cb41a2a SHA-1: 7e3cc6adfc0db4372fcfe67195e8bd038c9ea65b SHA-256: 06bf857974860ec7c7c38f7abd47a277cf768e42c62925e56b18fa2e0e1939fd
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains numerous embedded URLs, many of which point to compromised WordPress sites and disposable hosting. The ClamAV detection as 'Pdf.Phishing.Trojan' strongly suggests a malicious intent, likely to lure users to phishing sites or download further malware. Although no scripts were explicitly extracted, the structure and URL patterns are indicative of a malicious PDF designed for initial compromise.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3974

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://synerhu.ru/uplcv?utm_term=ppsspp+games+under+500mb PDF link annotation
    • https://vakukh.ru/wp-content/plugins/super-forms/uploads/php/files/0add65b89eda1e77cc99080a4e19fd82/xamujudojafajoriwedibives.pdfIn PDF document text
    • https://www.hotel-palladium.gr/wp-content/plugins/super-forms/uploads/php/files/0sqb3qp7qfqg49072fu3er3lec/7694526696.pdfIn PDF document text
    • http://conwaychristian.org/wp-content/plugins/formcraft/file-upload/server/content/files/16144db76227c5---60897979090.pdfIn PDF document text
    • http://megaprestige.ru/uploads/files/kutata.pdfIn PDF document text
    • https://master.plus/wp-content/plugins/super-forms/uploads/php/files/868794cf7f40ef0b430d2e10f6e020ce/zawazu.pdfIn PDF document text
    • http://www.plain-pied.com/editeur/ckfinder/userfiles/files/83026085317.pdfIn PDF document text
    • http://hanabi-la.com/uploads/files/6200177018.pdfIn PDF document text
    • http://lawngo.net/fckfiles/95082604775.pdfIn PDF document text
    • http://hattrick-sports.com/wp-content/plugins/formcraft/file-upload/server/content/files/16147cd19e5f86---zobipavofezirix.pdfIn PDF document text
    • http://identik.hu/editor_up/90575783620.pdfIn PDF document text
    • https://marthomaktrplrdiocese.org/ckfinder/userfiles/files/67006528818.pdfIn PDF document text
    • https://bearings.vn/images/ckeditor/files/99395990082.pdfIn PDF document text
    • https://www.sabiamente.es/wp-content/plugins/formcraft/file-upload/server/content/files/16151b71404831---30729909276.pdfIn PDF document text
    • https://igk-lilienthal.de/downloads/wofujibagafo.pdfIn PDF document text
    • http://immodraft.nrw/images/architekten_agentur_images_/file/23223014490.pdfIn PDF document text
    • https://acethamessecurity.co.uk/wp-content/plugins/super-forms/uploads/php/files/cb05285a7486e5a7461888a7ddcb7ac5/84604670538.pdfIn PDF document text
    • http://www.depomatrial.com/file/lomutawoguzuse.pdfIn PDF document text
    • https://www.urban-quartz.co.uk/wp-content/plugins/super-forms/uploads/php/files/6057da7f4b12bf65184caa83a4357c43/nivevefunativij.pdfIn PDF document text
    • http://quantri.thaisonpalacehotel.com/upload/files/zikureganizamavul.pdfIn PDF document text
    • http://stelmart.ru/userfiles/file/40607784967.pdfIn PDF document text
    • https://arrayamed.com/userfiles/file/16561021895.pdfIn PDF document text
    • http://superfishinglewood.com/uploads/files/54356446068.pdfIn PDF document text
    • https://fundacjaartfreeart.pl/userfiles/file/vawawadugezumaperotaro.pdfIn PDF document text
    • http://dallapietamarchisio.it/userfiles/files/tovezoxonugovax.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e598.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE598 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000fdaa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFDAA 20540 bytes
SHA-256: 3563b84ba8bd8bce9f0adc1dd67770e84e370fc23bb8402354d32e1edc252f90
font_02_sfnt_off00013344.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13344 10876 bytes
SHA-256: 0e94efa3ad8f4be2f304ff923aeb19e523a23d19fc15614a13169d8a23547611