Malicious PDF — malware analysis report

Static analysis result for SHA-256 083305662ee04e74…

MALICIOUS

PDF

71.8 KB Created: 2021-08-14 00:28:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-29
MD5: 001e3498a58fc9bc4405fb1e19551d53 SHA-1: f77f3e67a5c18c6e667198267aa4674e5aa4a5bc SHA-256: 083305662ee04e74f808fc68a4bd2d81edc16839cb103d654287745ed1c09758
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier. It contains a link farm pointing to multiple compromised WordPress sites and other domains, likely intended to host malicious content or phishing pages. The heuristic 'SE_LOLBIN_RUN_COMMAND' suggests the document text may contain obfuscated commands, further indicating malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6252

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pointsourcegroup.com/wp-content/plugins/super-forms/uploads/php/files/09c11b7eb758f45550674aa8b79e0daa/binelimu.pdf In PDF document text
    • https://weblative.com/wp-content/plugins/super-forms/uploads/php/files/edjvkcmdulep892drvasrb07s7/16789513106.pdfIn PDF document text
    • https://kebecelectrique.com/upload/editor/file/kuturixuxujodu.pdfIn PDF document text
    • http://sibstroiexp.ru/userfiles/file/62063410099.pdfIn macro / runtime command snippet
    • http://armanetti.com/images/zovibadimexanudututajilu.pdfIn macro / runtime command snippet
    • http://toddfamilyreunion.com/clients/4/48/482e924d5a052aa4a0c13eb8a30e0bc8/File/43914599740.pdfIn PDF document text
    • https://www.sacda.org/wp-content/plugins/super-forms/uploads/php/files/7b7hda75a11p3dsg2lnlfufo34/31719472570.pdfIn PDF document text
    • http://stopasbestos.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1608c5ae748093---63132116402.pdfIn PDF document text
    • http://www.inhd.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607e0cdcce785---83986839825.pdfIn PDF document text
    • http://decaiyun.com/upload/file/210803093348764829lx6368ne1l16.pdfIn PDF document text
    • http://skiflogistics.ru/userfiles/file/25163470026.pdfIn PDF document text
    • http://hytechcommunications.com/userfiles/file/48354569436.pdfIn PDF document text
    • http://alpinist.store/sribati/editor/uploadfiles/depagapakuvux.pdfIn PDF document text
    • https://abeess.com/userfiles/file/9386563460.pdfIn PDF document text
    • https://sapporopools.com/contents//files/85288727302.pdfIn PDF document text
    • http://mgmkt.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607070a23ec0c---gasomarilofisekusiva.pdfIn PDF document text
    • http://showplus.ae/userfiles/files/lubikedipikefixelodepidi.pdfIn PDF document text
    • https://agrotehholding.ru/wp-content/plugins/super-forms/uploads/php/files/4b24b6d784894f543c9193d6e1fde8cd/55601903214.pdfIn PDF document text
    • http://globalnetworks.de/www.galabau-poscher.de/main/preview/ckfinder/userfiles/files/gevitinalel.pdfIn PDF document text
    • http://www.cenlajobinator.com/siteuploads/editorimg/file/37899849022.pdfIn PDF document text
    • https://angkorphotographyguide.com/userfiles/file/ravolezogarojirilemawu.pdfIn PDF document text
    • https://mziagroup.com/wp-content/plugins/super-forms/uploads/php/files/q5791tbil4pc7cntj6tnpk53r8/93194330833.pdfIn PDF document text
    • http://pavcargo.ru/wp-content/plugins/super-forms/uploads/php/files/11778351e5d7b29a7014afa1861de9bc/gozopojowilanososib.pdfIn PDF document text
    • https://www.tctnanotech.com/wp-content/plugins/super-forms/uploads/php/files/f544dcc6a09bd77e0ff38f434b6aaa31/38756315516.pdfIn PDF document text
    • https://www.acptechnologies.com/wp-content/plugins/formcraft/file-upload/server/content/files/16086cc53bb16b---nogabebexirepolepego.pdfIn PDF document text
    • http://evabody.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160f335fa6f3e8---19968325988.pdfIn PDF document text
    • http://insightonafrica.in/userfiles/file/nafuvoxe.pdfIn PDF document text
    • http://adanateknikservis.web.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160bf3c540b4c0---zaperagigagukanugafavo.pdfIn PDF document text
    • https://kebecelectriquIn macro / runtime command snippet
    • https://feedproxy.google.com/~r/Uplcv/~3/1xuhb7AK25c/uplcv?utm_term=auto+clicker+programsPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000101b1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x101B1 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1