Malicious PDF — malware analysis report

Static analysis result for SHA-256 0708e717007326f7…

MALICIOUS

PDF

67.8 KB Created: 2021-06-13 01:00:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-07
MD5: 0c3ed9c925c854ee20673bf965264eac SHA-1: 7420f81dac68bb61b9d5604f15171a2141904beb SHA-256: 0708e717007326f76e907475938cfc18ea208163f6d94aaa5b6108ab84be2b9b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains numerous links, many hosted on compromised CMS platforms, designed to direct users to download applications. The presence of 'appbucks apk download' in the document body and the ML classifier's high confidence score indicate a phishing or malware distribution attempt. The numerous external URIs and link farms suggest an effort to obscure the ultimate destination and potentially distribute malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7841

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pixomot.ru/uplcv?utm_term=appbucks+apk+download PDF link annotation
    • https://dmvassociates.com/wp-content/plugins/super-forms/uploads/php/files/edae504d641d2b03b5e89f9096308749/gisox.pdfIn PDF document text
    • http://utopiasacramento.org/clients/0/07/071cdeedc048305be324eb10ab8031d4/File/24134154010.pdfIn PDF document text
    • https://luminex.pl/upload/file/52198571279.pdfIn PDF document text
    • https://moma-restaurant.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f8def13e1a---98895852632.pdfIn PDF document text
    • https://alfa-clining.ru/wp-content/plugins/super-forms/uploads/php/files/c9361d201d2e2218ee5745347f93f184/20404707568.pdfIn PDF document text
    • https://travels-ukraine.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b608ca4aabb---tedibededeja.pdfIn PDF document text
    • http://legalinet.eu/userfiles/files/xamozutewolurezariba.pdfIn PDF document text
    • https://ka-base.no/images_content/file/tobolo.pdfIn PDF document text
    • https://lisacutler.com/wp-content/plugins/formcraft/file-upload/server/content/files/16078a81e2d4b1---zoxobakokak.pdfIn PDF document text
    • https://yssnewlessons.org/UserFilesTwo/file/50471630278.pdfIn PDF document text
    • http://totalfinance.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160ad88d714a7d---31416289990.pdfIn PDF document text
    • https://csom.cz/wp-content/plugins/super-forms/uploads/php/files/13ea16d7d2a0e255cbd8713481c706fe/80796454544.pdfIn PDF document text
    • http://www.neslihanonur.com/wp-content/plugins/super-forms/uploads/php/files/543e3cb2f721bdbb7b067f37b6920a36/70283352941.pdfIn PDF document text
    • http://thingsantiquesla.com/userfiles/files/zapizumubepinuxiwimizapa.pdfIn PDF document text
    • https://agrotehholding.ru/wp-content/plugins/super-forms/uploads/php/files/b764e4132048032a8af5ae071fa76a29/74738925423.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c891.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC891 5256 bytes
SHA-256: 3c131b10640ad72d7ac4710767801ecbb7a7c6c714297ac242a5632331d49a99
font_01_sfnt_off0000da97.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDA97 10364 bytes
SHA-256: a6d7e6b08d85f2353a60003f1ebc5997833c527cd7dd3283b9556e3a2e0cc037
font_02_sfnt_off0000fe63.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFE63 16092 bytes
SHA-256: e9fe716c2abc985b12a899a49d5539e4e8be1b56d50c083b30290d85a2a7c848