Malicious PDF — malware analysis report

Static analysis result for SHA-256 0a4e1d74b42f7e9d…

MALICIOUS

PDF

58.9 KB Created: 2021-04-28 11:17:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 063d53529479c80d1a2812ac6665502b SHA-1: 2df56c1fcbc04ef2ed0a043d8be344d742f67ea6 SHA-256: 0a4e1d74b42f7e9ddaee30d6dfca08af40ab78185040461e11498a8528c66bac
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains numerous embedded URLs pointing to compromised WordPress sites, acting as a link farm. The document body is heavily obfuscated and appears to be generated by wkhtmltopdf, suggesting it's not intended for human readability but rather to host links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9746

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://uaqbakery.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607612b5a9cba---63106646784.pdf
    • https://bf-pomosch.ru/wp-content/plugins/super-forms/uploads/php/files/t18vcdafeetv796o2h6g2fkab4/91385313639.pdf
    • https://bodwellassociates.com/wp-content/plugins/super-forms/uploads/php/files/1cfc7f0b0929731561ada702b45bb726/93912049670.pdf
    • https://www.bakirkoytemsilcisi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f5e3ee28b7---nefodutoxalowa.pdf
    • https://prana.video/wp-content/plugins/super-forms/uploads/php/files/mn5osr5vuh4mhcv9vs4bk3g4su/35306968318.pdf
    • http://theydeserveastamp.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607440e860cf6---worimopezegorupasofajinov.pdf
    • https://lashmakerpro.it/wp-content/plugins/super-forms/uploads/php/files/91uj3e9omtettltsne6r64o446/minewodenide.pdf
    • https://www.mnspineandsport.com/wp-content/plugins/super-forms/uploads/php/files/1753c9b80e62370d48038a18039ab55c/jogogamaxip.pdf
    • https://www.rowtheerne.com/wp-content/plugins/super-forms/uploads/php/files/969e449b467bc2d1d02d370959514877/50992420630.pdf
    • http://www.eflox.net/wp-content/plugins/formcraft/file-upload/server/content/files/1607e18223d2b3---devofusiguvi.pdf
    • https://thewaves.net/wp-content/plugins/super-forms/uploads/php/files/p4srn6s3ugn69e7hpkbhjseqs6/21866405012.pdf
    • http://www.dadosefatos.net.br/wp-content/plugins/formcraft/file-upload/server/content/files/1606c8344f27e7---19513247625.pdf
    • https://www.rockandroll.blog.br/wp-content/plugins/super-forms/uploads/php/files/0piosibbvn6f1bltsmno34hvpp/77821707985.pdf
    • https://www.xcelsus.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607ecf446e854---97788073194.pdf
    • https://sipare.com.ar/wp-content/plugins/super-forms/uploads/php/files/cc2pa2glvgagaeh3bfgtkkqna2/rovomuposinalomu.pdf
    • http://aj-logistics.com/stock/userfiles/file/jidujanowivakobare.pdf
    • https://wecafephuket.com/wp-content/plugins/super-forms/uploads/php/files/a4vvs4h64f4788a8f4oi0lrgep/46325002647.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/Uplcv/~3/PmAiG5ZyT-k/uplcv?utm_term=amedspor+orjinal+forma
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cfa2.bin
ba44c141d3237f7da63e7df1f5a713de956a91ecb1d6aff420faf3dee6804c1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCFA2 5252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.