Malicious PDF — malware analysis report

Static analysis result for SHA-256 0945510b32f6d9da…

MALICIOUS

PDF

59.5 KB Created: 2021-07-21 11:57:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: 171faf7ce77681b2639ab42b3b5e1c27 SHA-1: dd1cb443d49c7844cbbc05e11b1e0cf0139f28d5 SHA-256: 0945510b32f6d9dacb756e9da8f093c6f158b439e80dfdfeb607d144af16c410
132 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample contains embedded JavaScript, indicating an attempt to execute code within the PDF viewer. It also features a link farm pointing to compromised WordPress upload storage and other disposable hosting, suggesting a phishing or malware distribution scheme. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports this assessment.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3715

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ivanamihic.com//files/rexowupogejonuvas.pdf In PDF document text
    • http://chikatere.com/Upload/files/xisiremaridekumij.pdfIn PDF document text
    • https://abril.pe/wp-content/plugins/super-forms/uploads/php/files/mbhpd75cvsntdu61v0g84pvncj/12370017584.pdfIn PDF document text
    • http://shinex-auto.com/userfiles/file/besavemanipurinejagufaxu.pdfIn PDF document text
    • http://bienbao.org/uploads/files/95515136011.pdfIn PDF document text
    • https://takiminsahada.com/wp-content/plugins/super-forms/uploads/php/files/k2l3e1ocn1178ehg8qmi0tdtlk/79912575261.pdfIn PDF document text
    • http://servmed.net/userfiles/file/96368009118.pdfIn PDF document text
    • https://www.beewellrx.com/wp-content/plugins/super-forms/uploads/php/files/tmp/regako.pdfIn PDF document text
    • https://www.lipfish.no/wp-content/plugins/formcraft/file-upload/server/content/files/16094d219a29d1---kisetizopizovavegogu.pdfIn PDF document text
    • https://10glazsikeyrosa.ru/file/65652707922.pdfIn PDF document text
    • https://voolabs.com/wp-content/plugins/formcraft/file-upload/server/content/files/16083336667589---44214461043.pdfIn PDF document text
    • https://digitaldaya.com/imagenes/file/63664610316.pdfIn PDF document text
    • http://szyuangang.com/UserFiles/file///39474845571.pdfIn PDF document text
    • http://laiksmodalux.lt/app/webroot/uploads/userfiles/files/xegezovuxokagovi.pdfIn PDF document text
    • http://ondrejkocar.cz/img/file/virado.pdfIn PDF document text
    • http://sunnysideclassof64.com/clients/a/ac/acc4ccb49d7935ca36198347b895393e/File/56590742376.pdfIn PDF document text
    • http://merwepizza.com/upload/file/54669720745.pdfIn PDF document text
    • http://studiocalcinoni.com/userfiles/files/78538105185.pdfIn PDF document text
    • http://discarga.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a0b2d772c82---13138558898.pdfIn PDF document text
    • https://u-spot.biz/js/ckfinder/userfiles/files/perenemudumesilon.pdfIn PDF document text
    • https://amirep.com/wp-content/plugins/super-forms/uploads/php/files/1ca9cbb24b62c3674f6b36c1dd11475f/wejofamumamufixukaveru.pdfIn PDF document text
    • http://cps-mbstu.edu.bd/app/webroot/js/ckfinder/userfiles/files/xebaxot.pdfIn PDF document text
    • https://marblobathware.com/app/webroot/img/files/57742660037.pdfIn PDF document text
    • https://www.hospedeagora.com.br/wp-content/plugins/super-forms/uploads/php/files/4a57iq8kqcrr19nskn6803c1rf/41241516533.pdfIn PDF document text
    • https://mfdesign.hu/files/file/gelusenefadigopi.pdfIn PDF document text
    • http://anm-av.de/uploads/files/69641319105.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/ngfLrbzwjls/uplcv?utm_term=puppies+wagging+their+tailsPDF link annotation