Malicious PDF — malware analysis report

Static analysis result for SHA-256 0b70aeeaf3e3816e…

MALICIOUS

PDF

71.2 KB Created: 2021-06-08 15:20:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-16
MD5: d87498cabe22098718c1a313d19893f3 SHA-1: 2f0d6a18e3de50c306dcd56bdc2e03fc99189ecb SHA-256: 0b70aeeaf3e3816eba4d4fdf92513598bcb5d5c2ac2a11d81cce40015907c3a7
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file is classified as malicious by ML models and ClamAV, indicating a phishing or trojan threat. It functions as a link farm, directing users to download files from compromised WordPress sites, disguised as a guide for setting up Chromecast. The presence of external URIs and link farms on disposable hosting suggests a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9468

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/uplcv?utm_term=how+to+setup+chromecast+from+android+phone PDF link annotation
    • http://clinicacomciencia.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16072f3b6a0c7e---sufojinesuseledufawetil.pdfIn PDF document text
    • https://snabavto.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f7c0e9d969---gogojali.pdfIn PDF document text
    • https://www.numberoneporthill.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16085bef8306ff---44288253744.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609b34b94dc71---29039924956.pdfIn PDF document text
    • http://www.trimbleexpress.sk/wp-content/plugins/formcraft/file-upload/server/content/files/160734d9aca5ed---16502471507.pdfIn PDF document text
    • https://expungemyrecordnj.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b4089836477---87350866381.pdfIn PDF document text
    • http://baanpowertrain.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c73fda08ba---pilejogubaz.pdfIn PDF document text
    • https://noukos.gr/wp-content/plugins/formcraft/file-upload/server/content/files/160abebf78f0d6---33407320157.pdfIn PDF document text
    • https://deedpoll.sg/wp-content/plugins/super-forms/uploads/php/files/1b9b58ec96e185b28b50f0e2caeb6bec/gedunitumisukadej.pdfIn PDF document text
    • https://teenvolunteer.org/wp-content/plugins/super-forms/uploads/php/files/397a37eb56f10e8ba04db21bce605184/ponevuzunozikaze.pdfIn PDF document text
    • https://aquaticlandscape.com/wp-content/plugins/formcraft/file-upload/server/content/files/16074d6aef0617---47079140296.pdfIn PDF document text
    • http://acpiindia.com/userfiles/file/55659158292.pdfIn PDF document text
    • http://kwik-it.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1608a6042423c8---rotitemulojogemuj.pdfIn PDF document text
    • http://mfplus.ba/wp-content/plugins/formcraft/file-upload/server/content/files/160965d2e1bbab---nodevafubuwufasafor.pdfIn PDF document text
    • https://rrvchefs.com/wp-content/plugins/super-forms/uploads/php/files/3bb4def81f0151b62b27b1413b6b848a/83144907871.pdfIn PDF document text
    • http://urbanconstructions.org/images/uploadedimages/file/8931821327.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dbb6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDBB6 5296 bytes
SHA-256: 658efd94ee5d0eb2b9dfe2441e06583e327b6c3e57c503d8279a851ab4910d57
font_01_sfnt_off0000eda2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEDA2 10068 bytes
SHA-256: 960ccef977b0611b99abd62dfc7efb2fa10c71d57424ab9473cf9335b5847f13
font_02_sfnt_off0001100f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1100F 4324 bytes
SHA-256: 0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333