Malicious PDF — malware analysis report

Static analysis result for SHA-256 1137f587bb2be93d…

MALICIOUS

PDF

64.3 KB Created: 2021-05-10 11:07:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-07
MD5: 94d11d444acb50340fe5cf653456602e SHA-1: 5403ddf769298f6e070ade3ec6b2074c38963d6e SHA-256: 1137f587bb2be93d65564497831c882746498c9cff74453498e81727a5119202
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links, many pointing to compromised WordPress upload directories, suggesting a link farm designed to redirect users to malicious content. The ClamAV detection and ML classifier further support its malicious nature, likely as a phishing or malware distribution vector. No scripts were extracted, but the structure and embedded URLs indicate a phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8681

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://alternativefitness.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16090add9127d4---87396805085.pdf In PDF document text
    • http://www.phonefixcomo.com/wp-content/plugins/formcraft/file-upload/server/content/files/16078c4620610b---83838635402.pdfIn PDF document text
    • http://extreamtuning.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1608761fc2d6b8---78127829482.pdfIn PDF document text
    • http://julieesteban.com/wp-content/plugins/formcraft/file-upload/server/content/files/160827b3979635---safegovewuganosifile.pdfIn PDF document text
    • http://www.bridalchapel.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c25e3415d2---48490374895.pdfIn PDF document text
    • http://vegasoft.hr/wp-content/plugins/formcraft/file-upload/server/content/files/1608c707b3fed6---vezudadu.pdfIn PDF document text
    • http://www.awakohchang.com/image/upload/File/3446684498.pdfIn PDF document text
    • https://rosemonttherapy.health/wp-content/plugins/super-forms/uploads/php/files/3rr84ge9rs3j58bp3jf59711fi/35106115921.pdfIn PDF document text
    • https://www.properties-thassos.com/wp-content/plugins/super-forms/uploads/php/files/d9q1mddrs1uqcb51cfudtukraq/lodoteliboga.pdfIn PDF document text
    • https://michaels-limo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160802fbd965d1---3719281010.pdfIn PDF document text
    • https://www.tai.gr/wp-content/plugins/formcraft/file-upload/server/content/files/160729d8f9eaae---85889050456.pdfIn PDF document text
    • http://www.onekaddy.com/wp-content/plugins/formcraft/file-upload/server/content/files/160900ddcf0237---36424989895.pdfIn PDF document text
    • http://brandnewgoods.net/userfiles/file/kaxexam.pdfIn PDF document text
    • http://manufim.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/1608adb714f3d2---tatulubegoxamodis.pdfIn PDF document text
    • http://backupcenters.com/userfiles/file/37764384657.pdfIn PDF document text
    • https://agrilaui.com/userfiles/file/wovuvasusale.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/S30rS-6n6vg/uplcv?utm_term=cold+call+follow+up+email+templatePDF link annotation
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e5a5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE5A5 4920 bytes
SHA-256: 2af450a03288d012d326d903e6eb7b74691a074fa6961e878bc3ff6ed5679cfc