Malicious PDF — malware analysis report

Static analysis result for SHA-256 1235f657c5622480…

MALICIOUS

PDF

74.8 KB Created: 2021-07-31 19:36:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: 89e52a85796497bc67925645e314414b SHA-1: 5713b2ff50a2d8a5e19378fb882ec93c52587624 SHA-256: 1235f657c5622480de45b99b7a3aec067d9ad9d3b80a6a1d5ad144a3d94c065d
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous embedded URLs, many of which point to compromised WordPress sites and disposable hosting, suggesting a link farm designed to distribute malicious content or phish users. The ClamAV detection as 'Pdf.Phishing.Trojan' strongly indicates malicious intent. The ML classifier also flagged the PDF with a high probability of being malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7451

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://inwebjor.ru/uplcv?utm_term=how+much+should+hvac+maintenance+cost PDF link annotation
    • http://www.deadclan.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160a4389447b31---furoxora.pdfIn PDF document text
    • http://allaboutdowney.com/userimages/tumawotovanuzupekofarobik.pdfIn PDF document text
    • https://businesslife.com/content/files/30537331385.pdfIn PDF document text
    • https://bringem.de/wp-content/plugins/super-forms/uploads/php/files/1fe66dc8d1f26bbb14fa3ef3a7c9a957/pagaron.pdfIn PDF document text
    • https://www.superioreagle.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072c5b69a106---42601769708.pdfIn PDF document text
    • https://webmodeli.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b0682b8dd94---49013204997.pdfIn PDF document text
    • http://zawayakw.com/wp-content/plugins/formcraft/file-upload/server/content/files/160813a9eab175---xoluwixogomemole.pdfIn PDF document text
    • http://abovomedia.hu/_user/file/9592612289.pdfIn PDF document text
    • http://asesoriagarpe.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607fb6ff83fb6---baxavexulojadem.pdfIn PDF document text
    • https://santechnikosdarbai.lt/images/files/vomalitivokiliwezoxuzita.pdfIn PDF document text
    • https://totalyoumovement.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607ee3d6bc283---35631775429.pdfIn PDF document text
    • http://www.k-24.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ab8d89ac4a5---pumamodipufobikixa.pdfIn PDF document text
    • http://workcoop.org/fckeditor/userimages/file/20210709094840.pdfIn PDF document text
    • http://doubler-son-capital.com/photos/files/meguxadavufewufisonom.pdfIn PDF document text
    • http://0965818789.com/CKEdit/upload/files/98850600322.pdfIn PDF document text
    • http://agenziaimmobiliarecannavo.eu/userfiles/files/vumusov.pdfIn PDF document text
    • http://apluskleaning.com/admin/images/file/85482190457.pdfIn PDF document text
    • http://maxkbm.com/clients/2/28/28fcaa936e2ecbeb6c9a97ea0f1ab253/File/zeketizobepevasosekexadid.pdfIn PDF document text
    • https://pyhm.ca/wp-content/plugins/super-forms/uploads/php/files/kboj0d50l0j3ial14le1ecf893/numolepomesutonutuwis.pdfIn PDF document text
    • http://goteneplast.se/files/images/file/weken.pdfIn PDF document text
    • http://serendipityorlando.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d2fb66b465e---xakevasaxilalejokuvumutin.pdfIn PDF document text
    • https://cuisinescartier.ca/upload/editor/file/gexobemebasoxawe.pdfIn PDF document text
    • https://sharpspringwww.kinsta.cloud/wp-content/plugins/super-forms/uploads/php/files/a71204654339b693de562fea369dde2b/jufozefunutese.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f1e0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF1E0 10780 bytes
SHA-256: ecd64ed01c27a99691c9928f428f454bc07bafb2b446640d56746a35db65e770