Malicious PDF — malware analysis report

Static analysis result for SHA-256 0932db5bac4456ab…

MALICIOUS

PDF

68.4 KB Created: 2021-08-19 20:21:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-31
MD5: f4c2ae37034e0aa70c7e640f8e69561b SHA-1: 5895d3f2608033cf7c87a810277694de6addeeda SHA-256: 0932db5bac4456ab493e6a887e9b34763fc4c9655cf6e507cabf07c114056e16
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a link farm, directing users to multiple external URLs. Several of these URLs point to compromised WordPress upload directories, indicating a potential phishing or malware distribution scheme. The ClamAV detection and ML classifier strongly suggest malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9448

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://whs1963.com/clients/7/75/758a827d59fb1c2827eec60421ffdc22/File/xomikarapimefivekuxum.pdf In PDF document text
    • http://emilymillerlaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/betusesevejutemo.pdfIn PDF document text
    • https://winston-woodward.com/wp-content/plugins/super-forms/uploads/php/files/d3b808276fb83b62f9d0c3bedd48b31d/32149018438.pdfIn PDF document text
    • http://amexeuro.com/an3_Uploads/file/67922692305.pdfIn PDF document text
    • https://hoovermaids.com/wp-content/plugins/super-forms/uploads/php/files/a0cdba9c51a69f0df468456ea9f0b0a7/65456231607.pdfIn PDF document text
    • https://xn--80aaa1anac6cg.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/d7ac400947f41ae576d3cf226ab8193d/mazipunoj.pdfIn PDF document text
    • http://nowyhotelik.pl/userfiles/file/jatirarinesososibuwe.pdfIn PDF document text
    • https://dunakanyarfesto.hu/ckfinder/userfiles/files/sikureludogo.pdfIn PDF document text
    • http://accurateverdicts.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b2f872da134---55176264883.pdfIn PDF document text
    • https://www.numberoneporthill.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160a7a255a17d4---nuratewevujosure.pdfIn PDF document text
    • https://massagetheory.ca/wp-content/plugins/super-forms/uploads/php/files/a659848faac55844460a906655e4e069/64844809001.pdfIn PDF document text
    • http://vestmorecapital.com/images/epost/gutijaxijidelovop.pdfIn PDF document text
    • http://medicaldistri.com/ckfinder_files/files/10830155108.pdfIn PDF document text
    • http://itaindustrial.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160703c07e0a49---miwuxipisu.pdfIn PDF document text
    • http://vkts.se/userfiles/file/zokugakiba.pdfIn PDF document text
    • http://acril.ru/ufiles/files/65106680979.pdfIn PDF document text
    • https://stef-nancy.fr/upload/document/18208577333.pdfIn PDF document text
    • http://perfectionistpaintingnj.com/ckfinder/userfiles/files/xisusowitigiket.pdfIn PDF document text
    • https://safrano.pl/userfiles/file/litupibuxadezifoj.pdfIn PDF document text
    • http://ifaistos.reality.gr/~triantaf/images/file/18956362048.pdfIn PDF document text
    • http://ulv-fogger.es/d/files/68415100242.pdfIn PDF document text
    • http://zulassung4you.de/bilder/file/punibuvulofineginu.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/1xuhb7AK25c/uplcv?utm_term=strong%27s+exhaustive+concordance+of+the+bible+pdfPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e1d6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE1D6 16664 bytes
SHA-256: b0272b77144a2a1a7edfc1934cacdf5c5527ae4d5bdd89a089b57f4cbb5f0ba0