Malicious PDF — malware analysis report

Static analysis result for SHA-256 12f1e58bed2e2cfe…

MALICIOUS

PDF

64.0 KB Created: 2021-09-23 23:37:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-23
MD5: 57af455e23b1b21bddafcb75eceaceb8 SHA-1: cd6915ac9f66df442c941ea456b86f2469130169 SHA-256: 12f1e58bed2e2cfeff538a74658c951ba9344b91dda551665cacb1e4f4b64dd0
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous links, many pointing to compromised CMS upload storage and disposable hosting, suggesting a link farm designed to redirect users. The presence of a 'download fall guys apk' UTM term in one URL indicates a lure for users seeking game downloads. ClamAV detection and ML classification confirm the malicious nature of the PDF, likely serving as a phishing or malware distribution vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7095

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/uplcv?utm_term=download+fall+guys+apk PDF link annotation
    • http://www.tomasjelinek.com/img/pub/file/worofuwanikuked.pdfIn PDF document text
    • https://vallejardin.com/wp-content/plugins/super-forms/uploads/php/files/c769647e589eba75c5102a59077afffc/76665654014.pdfIn PDF document text
    • http://haenuri.net/ckupload/files/noxedijaliwajugezagafo.pdfIn PDF document text
    • http://laulumaja.fi/ckfinder/userfiles/files/zowenujasuxevawo.pdfIn PDF document text
    • http://annassteen.com/ckfinder/userfiles/files/50850076451.pdfIn PDF document text
    • http://cgl.lu/userfiles/files/vapagutipunufatezevuko.pdfIn PDF document text
    • http://www.dr.schure.net/ckfinder/userfiles/files/fufadux.pdfIn PDF document text
    • http://ellissi.org/userfiles/files/zemubumatebisugijulabum.pdfIn PDF document text
    • https://10fci.info/userfiles/file/muwidave.pdfIn PDF document text
    • http://togul.org/sites/default/files/file/7289078988.pdfIn PDF document text
    • http://kiko168.com/UploadFile/file/20210920114817293.pdfIn PDF document text
    • https://sieseam.org/userfiles/files/xatosixofezotoxolu.pdfIn PDF document text
    • http://oneself.pro/wp-content/plugins/formcraft/file-upload/server/content/files/161434ac4f3dd8---jokagujivamubit.pdfIn PDF document text
    • http://agriturismolionsfarm.it/userfiles/files/fipukekozita.pdfIn PDF document text
    • http://tms-technology.com/ckfinder/userfiles/files/21137426781.pdfIn PDF document text
    • http://zechnerbau.at/images/content/files/10269126898.pdfIn PDF document text
    • http://pomelieagency.com/userfiles/files/79965279661.pdfIn PDF document text
    • http://vindindex.nl/images/uploads/bejuzirex.pdfIn PDF document text
    • https://solidpractise.com/files/userfiles/file/74428082641.pdfIn PDF document text
    • https://jin-ji.com/upload/files/xuvafeletojuvixop.pdfIn PDF document text
    • http://susasoft.com/upload/userfiles/files/wiwobamevebinugig.pdfIn PDF document text
    • http://gruaszarate.com/ckfinder/userfiles/files/64412177672.pdfIn PDF document text
    • http://revize-elektro.info/UserFiles/File/78815307261.pdfIn PDF document text
    • https://www.histoiresdegroupes.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613e8ba341357---kutitifirefoxobotus.pdfIn PDF document text
    • https://www.rt9.rspo.org/ckfinder/userfiles/files/79553669949.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e303.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE303 10644 bytes
SHA-256: 03815ea5ef55a3fac0d3ca20e9ade903d8104c3b636f4ce062d9991b86dde7ce