Malicious PDF — malware analysis report

Static analysis result for SHA-256 1308360eb40087da…

MALICIOUS

PDF

72.0 KB Created: 2021-09-07 04:21:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: 238ba2e015ad3c9a1be6d2b5b9b27dfc SHA-1: d35a6fe4c08321d693b3ed60e3a3ec889c89f173 SHA-256: 1308360eb40087da4a7e13f798a4af121074660ae32e21a74f37088566d4082e
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and an ML classifier. It contains a link farm with numerous URLs hosted on potentially compromised or disposable domains, indicating a likely phishing or malware distribution attempt. The presence of external URIs and link farms suggests an effort to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8022

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bjsprt.com/uploadfile/file///2021070813290948.pdf In PDF document text
    • https://www.shopveriamici.com/wp-content/plugins/super-forms/uploads/php/files/h444p8bnif57rl77cv356gn4ks/94328356019.pdfIn PDF document text
    • http://puginternational.com/ckfinder/userfiles/files/47583852391.pdfIn PDF document text
    • http://finsura-lifedirect.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1608ee4a58b308---22405865686.pdfIn PDF document text
    • http://taeguektour.com/FileData/ckfinder/files/20210712_2051F64803AE9195.pdfIn PDF document text
    • https://brusroom.com/wp-content/plugins/super-forms/uploads/php/files/f63ec9b1ed0be51672ffc3d49352f411/bedurejofezisasoza.pdfIn PDF document text
    • http://www.melodypods.com/wp-content/plugins/formcraft/file-upload/server/content/files/160850dcdc5663---58354349993.pdfIn PDF document text
    • https://beaszemin.com/files/lekuzuto.pdfIn PDF document text
    • https://termofriz.rs/files/57577014719.pdfIn PDF document text
    • https://travels-ukraine.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a92943e28e9---39997355163.pdfIn PDF document text
    • https://sharedsynergy.com/userfiles/file/nivizusadofapazojuki.pdfIn PDF document text
    • http://gpp300.fr/userfiles/file/29482125659.pdfIn PDF document text
    • https://bulendengin.com/upload/ckfinder/files/fixawokixosop.pdfIn PDF document text
    • http://htk2.altrodesign.eu/ckfinder/userfiles/files/kizefaposunakug.pdfIn PDF document text
    • http://socialbomjesus.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/16076982f81d5e---23352433322.pdfIn PDF document text
    • http://cedresarquitectura.com/wp-content/plugins/formcraft/file-upload/server/content/files/16084feddb192b---mowolozujoj.pdfIn PDF document text
    • https://stewsites.com/wp-content/plugins/super-forms/uploads/php/files/a5c29d8296f732e0dacba9f1554b533d/13244503714.pdfIn PDF document text
    • http://pytextiles.com/userfiles/file/ridugajipevetugitopisuv.pdfIn PDF document text
    • https://thuaphatlaihanoi.net/uploads/files/vozeliwinekatodu.pdfIn PDF document text
    • https://extremetour74.ru/wp-content/plugins/super-forms/uploads/php/files/fe0d7d6a53ab3a5a10c4e20fb529b0e0/nozevilagasoluziwi.pdfIn PDF document text
    • http://fatimaartwork.com/userfiles/file/fepisuranaxano.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/YTWXjIUwRh0/uplcv?utm_term=siolta+principles+pdfPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb33.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFB33 10688 bytes
SHA-256: dda9df21b0da16ddcba369a7f0a8f6eed7f9d272aee025f2c5d7bd403baea9a7