Malicious PDF — malware analysis report

Static analysis result for SHA-256 07df2f123a009f74…

MALICIOUS

PDF

70.6 KB Created: 2021-09-01 02:53:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-23
MD5: a8f710f068cb146353c6af1e9f28deea SHA-1: 0480be5e424ea740f46fd63b2440b13d752661da SHA-256: 07df2f123a009f740b8c2f351543be4f13a322c67f9d1be2d4d752998fc50fb0
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript, which is often used to initiate malicious actions. The document also functions as a link farm, directing users to multiple distinct hosts, some of which are hosted on compromised CMS uploads or disposable domains, indicating a phishing or redirection attempt. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports the malicious classification.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6691

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.lebedosapartotel.com/data/yukle/files/bisiguvizabanoja.pdf In PDF document text
    • http://elanaclub.ru/userfiles/file/tavakivotisax.pdfIn PDF document text
    • http://mcgrathpc.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/35898182539.pdfIn PDF document text
    • https://marksiegeldds.com/wp-content/plugins/super-forms/uploads/php/files/240314f210dc99e2bd6807f5479a3da8/95829332281.pdfIn PDF document text
    • http://sip7.online/wp-content/plugins/super-forms/uploads/php/files/3b90623496dcfbe3f06bda5066360bd5/puvenetuloxet.pdfIn PDF document text
    • http://barcelonasixtytwo.com/userfiles/file/koremikonusunevuvu.pdfIn PDF document text
    • https://mondialardesia.it/file/gibosonidiwuxix.pdfIn PDF document text
    • http://muszempilla.com/files/file/puzuz.pdfIn PDF document text
    • http://www.dismaplant.com/ckfinder/userfiles/files/givaxizuwefagisesuw.pdfIn PDF document text
    • http://www.primalegal.eu/wp-content/plugins/super-forms/uploads/php/files/h2gj5inren41m2qj5k96kqp550/1665277259.pdfIn PDF document text
    • http://driver-jazda.pl/upload/file/89930737174.pdfIn PDF document text
    • https://thejinglelab.com/wp-content/plugins/super-forms/uploads/php/files/a6p2v6752co4jh66ioh4986k0p/86011262978.pdfIn PDF document text
    • http://slp72.com/clients/7/7b/7b902bee17765b19ebdde6030f24742d/File/bonolunagowoxukevuze.pdfIn PDF document text
    • http://fundacjaproartis.pl/javascript/ckfinder/userfiles/files/volevidemutonomiw.pdfIn PDF document text
    • https://digireg.se/upload/bagebotuvadoj.pdfIn PDF document text
    • https://www.sabiamente.es/wp-content/plugins/formcraft/file-upload/server/content/files/16090f7d31c354---49933372210.pdfIn PDF document text
    • http://pvsystreports.com/wp-content/plugins/super-forms/uploads/php/files/3ualjp3ls8n57nshrb7ap91up1/nizaxemodamerabu.pdfIn PDF document text
    • https://neoville.ru/wp-content/plugins/super-forms/uploads/php/files/79f7b0a5c904e1ceb4518750493c6278/vevakovumem.pdfIn PDF document text
    • https://facade-metal.ch/ckfinder/userfiles/files/jamifurumem.pdfIn PDF document text
    • http://eurolocal.info/sites/default/files/images/file/weserarojuwoxenakesipe.pdfIn PDF document text
    • http://lichnyiybrand.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1607bbc359d279---65148517976.pdfIn PDF document text
    • https://www.oalysa.cz/ckfinder/userfiles/files/27049211532.pdfIn PDF document text
    • http://kidneytexas.org/clients/861060/File/pedowudepekerubogujilute.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/PmAiG5ZyT-k/uplcv?utm_term=cubes+method+for+solving+word+problemsPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dd75.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDD75 17940 bytes
SHA-256: 4edb77f117d7a049bdf3f63970b0f838bf43fa2cc5cf6c10a8f3fac23d2a88be

Open this report in the interactive analyzer, or submit your own file for analysis.