Malicious PDF — malware analysis report

Static analysis result for SHA-256 132b86ad1dafaa1a…

MALICIOUS

PDF

63.8 KB Created: 2021-06-20 15:38:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22
MD5: f06dc2976120174d914e697ed389e537 SHA-1: 89cfcb6c59f59752fedf41fd3299ecaa98ca49b0 SHA-256: 132b86ad1dafaa1a83bc9ed94b0bfeff3984b3666c05c3157eebc81da295a6ad
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

This PDF file was identified as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The document functions as a link farm, distributing links across numerous domains, some of which are hosted on compromised WordPress sites. This suggests a phishing or scam campaign aiming to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8608

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jerseybankruptcylaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/33626103449.pdf In PDF document text
    • https://edoxmarketing.com/wp-content/plugins/super-forms/uploads/php/files/gd8vhjbeg93ach3hqlbmm46ecg/64014924040.pdfIn PDF document text
    • http://mognational.com/wp-content/plugins/formcraft/file-upload/server/content/files/16081d37f76bd0---ruzijowawuji.pdfIn PDF document text
    • http://africanhairbraidingsalon.com/userfiles/file/nosurujilezowadiludixupi.pdfIn PDF document text
    • http://aarogyamedico.com/userfiles/file/tewamupedusilelasa.pdfIn PDF document text
    • https://amenagementsoleil.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087f31669fbd---47978205985.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160abb9cdbd4e4---juvapavasamixub.pdfIn PDF document text
    • http://amwordpress.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607b4b748e891---bamivami.pdfIn PDF document text
    • http://www.goataxiservice.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bb5b8736bc4---wufumewinumasa.pdfIn PDF document text
    • http://kemenyseprosiklos.hu/upload/file/lulosuxa.pdfIn PDF document text
    • http://brodart01.com/wp-content/plugins/super-forms/uploads/php/files/6macos3k7esetgfsn9rh2vjr9u/54121445181.pdfIn PDF document text
    • https://nhaban24h.com.vn/wp-content/plugins/super-forms/uploads/php/files/1mkhn9lvhc2qd6ghtsckd22ilu/nikadasegeporuvixovajorik.pdfIn PDF document text
    • https://xn--80aaijz0c.xn--p1ai/ckfinder/userfiles/files/62760709382.pdfIn PDF document text
    • https://www.myjamaicais.com/wp-content/plugins/super-forms/uploads/php/files/bc802a48d0a03fe25842a07b65a209e9/bekuberomuvujere.pdfIn PDF document text
    • http://www.misshandicap.ch/wp-content/plugins/formcraft/file-upload/server/content/files/160ab8ce82a34b---dugedizigifusevebe.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/BvfzZFkJO3s/uplcv?utm_term=real+gangster+old+versionPDF link annotation
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d31d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD31D 5060 bytes
SHA-256: 48664cc03db16bb30e87c70e14fa8fc935c1d550158f13ed61bc0c5d625fbdde