Malicious PDF — malware analysis report

Static analysis result for SHA-256 0a64d07f33071603…

MALICIOUS

PDF

138.8 KB Created: 2021-06-11 03:18:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-05
MD5: 81470ef16bf3c51960b214cd0f3e0430 SHA-1: fbd8805b5207ca37b6097d4c3ad7ed3de48ffd45 SHA-256: 0a64d07f33071603f5b517235a3f6504fd97988a43a59fd7777fb77f1c541283
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file is classified as malicious by ML models and ClamAV, indicating it is a phishing or trojan. It contains numerous links to compromised websites, suggesting it is part of a link farm designed to redirect users to malicious content. The document body, though heavily obfuscated, contains keywords related to free PDF downloads, likely a lure to entice users to click on the embedded malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7882

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://huntic.ru/uplcv?utm_term=durga+saptashati+pdf+free+download PDF link annotation
    • https://trucraftsmanship.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c91e3aac98---52354715219.pdfIn PDF document text
    • http://europeanprofservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bf049524e27---23695035604.pdfIn PDF document text
    • https://www.federatedlighting.com/wp-content/plugins/super-forms/uploads/php/files/b2f52919f572fc72f2748119507fc066/43564523582.pdfIn PDF document text
    • https://trellisdundee.com/wp-content/plugins/super-forms/uploads/php/files/8d1894d16fa74536fc1b6468c6a6b246/4437354237.pdfIn PDF document text
    • https://psychologgia.pl/Upload/file/76852774919.pdfIn PDF document text
    • http://sherwoodchambergolf.com/ckfinder/userfiles/files/tapifutivafavo.pdfIn PDF document text
    • https://ehblending.com/wp-content/plugins/super-forms/uploads/php/files/10fe8c177ce514905bbe9e54357734b3/51990669104.pdfIn PDF document text
    • http://aldo-ins.com/userfiles/file/45646044492.pdfIn PDF document text
    • https://saraelv.no/wp-content/plugins/formcraft/file-upload/server/content/files/160750e4096cbe---56341576378.pdfIn PDF document text
    • https://humble-brag.com/wp-content/plugins/super-forms/uploads/php/files/p7p96j2vu5r2spqlgoi1i77k64/xowajavizadavinaxuvufapik.pdfIn PDF document text
    • https://www.femregenx.co.za/wp-content/plugins/super-forms/uploads/php/files/a1nt1gmj1366mdcr6prpav50ml/kapulopudu.pdfIn PDF document text
    • https://www.scanworld.se/wp-content/plugins/formcraft/file-upload/server/content/files/160aa9e04c53bf---nukamoxowijubakametisudus.pdfIn PDF document text
    • http://bhsclassof70.com/clients/a/ac/acf0241a72c9eb28a719a759cf8a4748/File/29968081503.pdfIn PDF document text
    • https://hsegroup.ru/wp-content/plugins/super-forms/uploads/php/files/36el7ps64ebfqbgpvql50g25o3/35048441621.pdfIn PDF document text
    • http://zonweringnederland.com/ckfinder/userfiles/files/wufadatikozi.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001eb2c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1EB2C 5396 bytes
SHA-256: a2dc9eab54835a4ba54c9035448bc8468cdfa7d18feff90d945d5bdc35eec926
font_01_sfnt_off0001fd96.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1FD96 11120 bytes
SHA-256: 5307157dc09e734cbca81d93e7f0e42772ce78a8d462588afec347288c8d2b2b