Malicious PDF — malware analysis report

Static analysis result for SHA-256 07a35b72621aab31…

MALICIOUS

PDF

81.8 KB Created: 2021-05-15 07:17:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5cf53ead5b49bb095182d3296d6f8bc4 SHA-1: 4f6c2b60cc7be52d886eefe71064f9dd8f389d3d SHA-256: 07a35b72621aab3167076d7e854fe0128501bf372eebcf8e9debfc4309537b0d
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous links to external websites, many of which are hosted on compromised WordPress sites, suggesting a phishing or malware distribution campaign. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though obfuscated, suggests a lure related to job applications, aligning with common phishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9057

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://garglob.ru/uplcv?utm_term=biodata+format+for+job+in+sri+lanka
    • https://pinotcar.com/wp-content/plugins/super-forms/uploads/php/files/60bf006391dd37ba5b825080f8c651cd/rakerapovejalesoj.pdf
    • https://alenakovalchuk.ru/wp-content/plugins/super-forms/uploads/php/files/f230df678c0a97b0e1c2b332b13d1464/tororuvexup.pdf
    • https://otelnamore.com/wp-content/plugins/super-forms/uploads/php/files/bd4c33217fe318e3c0858ee44822dfc3/fewofepirutedipizilox.pdf
    • https://prikolnaya.com/wp-content/plugins/super-forms/uploads/php/files/d93a94a8479af01e684d5681463fdde4/68723294242.pdf
    • https://adm.allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/47009b9ea8186581bddd8c24df7f6634/29688461226.pdf
    • https://lea-inc.com/wp-content/plugins/super-forms/uploads/php/files/d553ec4b37f5871199ec70f61960274f/78253605858.pdf
    • https://afriqueitnews.com/wp-content/plugins/super-forms/uploads/php/files/edf68faec653f50a3c6684e7edf4162d/zetowodagesisuzemas.pdf
    • http://446888.top/userfiles/file/xafejozewogolixara.pdf
    • https://vashadvokat82.ru/wp-content/plugins/super-forms/uploads/php/files/52deef5f8c7ec03664cc5347fc773206/seguvijufobovenugebu.pdf
    • http://artgraf24.pl/userfiles/file/86659525824.pdf
    • http://dangkyidol.com/wp-content/plugins/super-forms/uploads/php/files/bhog1a8pkae39fchh93ti2s9ar/jijepexiniboju.pdf
    • https://sellos-mecanicos.com/wp-content/plugins/super-forms/uploads/php/files/732a5dbde64d647a7c50ac97af84eea4/32483159496.pdf
    • https://smarttactic.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1607726dc502bd---ruwefufibamijoveme.pdf
    • http://www.sunargrup.com.tr/wp-content/plugins/super-forms/uploads/php/files/bc05v1upkorromsvkc67rah613/zewetubig.pdf
    • http://poorclarescork.ie/images/11095510917.pdf
    • https://donnasalon.ru/wp-content/plugins/super-forms/uploads/php/files/13e08ad23d3d93a51f0c47022cb4b196/farofivogerusenapiv.pdf
    • https://www.hontoys.com.au/wp-content/plugins/super-forms/uploads/php/files/7127jekatalb7dgdmv16q6vm98/15038975538.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.org/OFL
    • http://sinhala.sourceforge.net/
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITS
    • http://www.gnu.org/licenses/gpl-2.0.html

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dcc3.bin
25cb0d7c616ca0f441f93370ce427d1c91bf8b568e96efec8370442043fb85d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDCC3 5384 bytes
font_01_sfnt_off0000eec0.bin
ddbead76d58b21d7aa9b5d2d1ec90dce27a6f026aec0ad9c6a933b6130d2d795		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEEC0 35128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.