Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d19494210579aeb…

MALICIOUS

PDF

102.6 KB Created: 2021-07-22 23:43:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 08d4dbb8f0533e62d70e767a7029ad76 SHA-1: bf04849ccc3d7370ea1c9793bfbcb7d676084fa0 SHA-256: 0d19494210579aeb5bb322e799a6d9ed2e31c42167872f6e5ff87105a526b64c
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm pointing to numerous distinct hosts, many of which appear to be compromised WordPress sites. ClamAV detected this file as Pdf.Phishing.Trojan, indicating a malicious intent to lure users to potentially harmful content. The embedded URLs suggest a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier clean score 0.1393

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://popa.com.br/wp-content/plugins/super-forms/uploads/php/files/26601310ea98dfb59945e4a29db9e121/selewitomitewulufita.pdf
    • http://la-roofers.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1607844bf2db0b---1761210279.pdf
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ee59f2321db---71150064866.pdf
    • http://burelomdo.com/ckfinder/userfiles/files/nuzepo.pdf
    • http://www.saraviation.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609f22c9994fd---57353029205.pdf
    • http://yuc-fac.com/uploadfiles/20210722083757.pdf
    • http://hondatayho.vn/images/ckeditor/files/nojigelore.pdf
    • http://portalpr-b2b.es/img/user///file/_0385122001625235124.pdf
    • https://www.dekleinewerf.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16091af7820d8d---rozoxutoxatosoge.pdf
    • https://www.parkgest.ch/wp-content/plugins/formcraft/file-upload/server/content/files/1608075929122b---dojusekajozanomupigili.pdf
    • http://www.makattakasinti.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e140eb7412---femelezidejogok.pdf
    • http://vladjurnalist.ru/archive/file/48441673562.pdf
    • https://unibel.pl/pliki/upload/file/93198703321.pdf
    • https://boldvision.tv/wp-content/plugins/formcraft/file-upload/server/content/files/16081f02ce6db2---34181986972.pdf
    • https://bakotech.at/uploads/ckeditor/files/19445207553.pdf
    • http://fygl.net/uploads/file/031044546859.pdf
    • https://www.booster-p.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b53434dec6---67959642834.pdf
    • http://prosquash.by/data/forasimepatijumi.pdf
    • http://amtusa.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609858f02875a---vaxonuwejedoreb.pdf
    • http://inspirationallabels.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160741c2eebf98---60168487263.pdf
    • http://libron.pl/fckupload/assets/file/dagagizumiziluzekuwaxov.pdf
    • http://conwaychristian.org/wp-content/plugins/formcraft/file-upload/server/content/files/1606d8b0261416---53397339232.pdf
    • https://zivotzaokny.eu/res/file/75162909088.pdf
    • https://mosoptagro.ru/wp-content/plugins/super-forms/uploads/php/files/fa4a61a6736c910323043746fbf448a3/5057239950.pdf
    • https://n95america.com/wp-content/plugins/super-forms/uploads/php/files/efaca21c753b445878aedd33932d7c55/mamov.pdf
    • http://wghsclassof69reunion.com/clients/b/b3/b33699c65747f61a54cd06c2fab73d22/File/xodiz.pdf
    • https://feedproxy.google.com/~r/skout/mBVl/~3/ngfLrbzwjls/uplcv?utm_term=book+of+moses+bible
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001494e.bin
1fbca00590232a7e45aa531e87520c944cb8545cb9b4602b0aa37dc73bd314ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1494E 17540 bytes
font_01_sfnt_off00016402.bin
928317592758ae204af361e2729207e64d2c85c7b935801c7f6425097c7bf4b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16402 20248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.