Malicious PDF — malware analysis report

Static analysis result for SHA-256 0c7dabb0a5208461…

MALICIOUS

PDF

90.1 KB Created: 2021-07-04 12:02:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: ea29d798d5006e7c259e925b0defb69e SHA-1: 527a14503b128cbf7e6ceaea9955e9f3a8aa8b96 SHA-256: 0c7dabb0a5208461768cf49c4bd3fd1a50230dac8abe79f37e508351ef376eb7
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file is identified as a PDF containing a link farm, with multiple heuristics indicating it points to compromised CMS upload storage and disposable hosting. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports a malicious intent. The embedded URLs are likely used to lure victims into downloading further malicious content.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3658

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vandientuchinhhang.com/upload/files/68460881630.pdf In PDF document text
    • http://gingerwooddesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/16078bff6795c7---laliduw.pdfIn PDF document text
    • http://multiseal.com.ph/wp-content/plugins/formcraft/file-upload/server/content/files/160c8880e6c60d---ximovenasiwabaronabuxuwox.pdfIn PDF document text
    • http://volamtuyetthe.com/userfiles/file/sakufepivodubit.pdfIn PDF document text
    • http://udokutscher.de/gfx/userfiles/files/ganezixexozodunosibiwado.pdfIn PDF document text
    • https://textosolutionslinguistiques.ca/upload/editor/file/kaseduxowaluluviz.pdfIn PDF document text
    • https://uleshuzataruhaz.hu/files/file/82990994710.pdfIn PDF document text
    • http://eske.hu/wp-content/plugins/formcraft/file-upload/server/content/files/160c40ce13dc48---likakidub.pdfIn PDF document text
    • http://smartpaintingplus.com/userfiles/files/supapimu.pdfIn PDF document text
    • https://abe-rdc.com/userfiles/file/20324795347.pdfIn PDF document text
    • http://www.hollyskauaicondo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b4dca81125a---45668444231.pdfIn PDF document text
    • http://www.lightingandhvacexpo.com/wp-content/plugins/super-forms/uploads/php/files/a8fc6c40b4d22e5d2b330bf96f3bffd6/wakuxatedisomuba.pdfIn PDF document text
    • https://nezrenpin.com/calisma2/files/uploads/97650809184.pdfIn PDF document text
    • http://gyobel.itpublic/file/3650533224.pdfIn PDF document text
    • https://webtechnocrats.com/upload/file/72985495804.pdfIn PDF document text
    • http://sllight.ru/design/img/upload/file/zedujejubul.pdfIn PDF document text
    • https://fjordancv.info/wp-content/plugins/super-forms/uploads/php/files/c0345ee4f139df0e06dbd84d8befec87/lotizogenetuvumepuziw.pdfIn PDF document text
    • http://termitecontrolservicebd.com/ck/upload/files/88133948430.pdfIn PDF document text
    • https://aedwea.com/upload/foto/47364810692.pdfIn PDF document text
    • http://whscardinals1963.com/clients/9/9e/9e5fab02d16e7113a74bdd4e7828f974/File/buxiwoxe.pdfIn PDF document text
    • http://ankarapianofestival.com/userfiles/file/41535065644.pdfIn PDF document text
    • https://udachi.co.th/wp-content/plugins/super-forms/uploads/php/files/rek34438se9hrl6756ccrjbqto/kowuve.pdfIn PDF document text
    • http://paintingservicesonline.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160b1e8f6504d5---fuligozafalor.pdfIn PDF document text
    • http://www.commandinglife.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607ce0c97ba94---sisini.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/ngfLrbzwjls/uplcv?utm_term=words+that+rhyme+with+fanPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000115f9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x115F9 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off00012e0b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12E0B 18728 bytes
SHA-256: ae69d3ec5bf05664330bf99b77feb03b2274753ae5c12787d8e9f3512acd4cbd

Open this report in the interactive analyzer, or submit your own file for analysis.