Malicious PDF — malware analysis report

Static analysis result for SHA-256 13ffc7eff43c5f48…

MALICIOUS

PDF

63.7 KB Created: 2021-07-13 02:26:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-31
MD5: 7e280b66515cac292e6666b4781abc4d SHA-1: 746be1540d5e653c73d727d2b66d6238b72a5a44 SHA-256: 13ffc7eff43c5f48c027c11509ebd54c87ffff1acde734a9aeba1f7ea80639f8
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains numerous links to external websites, many hosted on compromised CMS platforms, suggesting a link farm designed to redirect users to malicious content. The presence of embedded URLs and the nature of the heuristics strongly suggest this document is part of a phishing campaign or a downloader for further malicious payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7889

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nomylo.ru/uplcv?utm_term=what+do+you+mean+by+credit+note PDF link annotation
    • https://www.sir.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16089770def213---15660676038.pdfIn PDF document text
    • https://saftanton.dk/wp-content/plugins/formcraft/file-upload/server/content/files/160a6405ee1f93---kevevagibufawofafu.pdfIn PDF document text
    • http://dichvugiayphep.biz/upload/ck/files/wubolabifaxuwasiwatepoven.pdfIn PDF document text
    • http://yatros.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160a2b73be6ce4---54223674379.pdfIn PDF document text
    • http://bergfin.se/wp-content/plugins/formcraft/file-upload/server/content/files/160834056032df---2814217742.pdfIn PDF document text
    • http://www.realisthotel.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c28a8f09f46---79593253008.pdfIn PDF document text
    • http://emeraldoutback.com/clients/f/f6/f61299a274fa8fdb0c00f5b1ed511d42/File/lalebufajut.pdfIn PDF document text
    • http://vandervalk.reviews/app/webroot/files/userfiles/files/67550456297.pdfIn PDF document text
    • http://dientrotiendathc.com/media/ftp/file/gulujujerukiver.pdfIn PDF document text
    • http://www.nuricomuvakfi.org/wp-content/plugins/super-forms/uploads/php/files/bcaeo2pm5pal12t2lq5r2cdug2/vavezopodilovumifiwuv.pdfIn PDF document text
    • https://www.kngroup.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a61af28c18b---63956426057.pdfIn PDF document text
    • https://www.bistro-e.com/wp-content/plugins/formcraft/file-upload/server/content/files/160714c6b7ea88---togodobazavud.pdfIn PDF document text
    • https://lotte-ppta.com/beta/assets/file/fesunutulur.pdfIn PDF document text
    • http://sistersaviopublicschool.com/userfiles/file/14842502805.pdfIn PDF document text
    • http://alsumiri.net/wp-content/plugins/super-forms/uploads/php/files/7b82ade51562f40b79701e231d96c71e/dobiwix.pdfIn PDF document text
    • http://melissajacksonmd.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a4e62c10db9---80265861098.pdfIn PDF document text
    • https://capitaleny.com/wp-content/plugins/super-forms/uploads/php/files/b292c49e5033d757b83954c4bb3186d0/viwuduvokojes.pdfIn PDF document text
    • https://beaufortbond.com/wp-content/plugins/super-forms/uploads/php/files/394b42b8f2c72f09b8865006cb9fd9fa/nedopalefabokoparako.pdfIn PDF document text
    • http://ruihuitax.com/files/file/regafokakexejuso.pdfIn PDF document text
    • https://www.syah.org/wp-content/plugins/super-forms/uploads/php/files/d1da0eaccf77f4cc32e56e63472f96a9/panut.pdfIn PDF document text
    • https://palet-school.com/files/files/tobepekulukoluz.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/16090812cd8c44---pubafakefi.pdfIn PDF document text
    • http://www.hptindia.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b164c11eec---98876688543.pdfIn PDF document text
    • https://husvagnsexpo.se/wp-content/plugins/formcraft/file-upload/server/content/files/1607e4ac05dd7a---wakij.pdfIn PDF document text
    • http://whscardinals1963.com/clients/9/9e/9e5fab02d16e7113a74bdd4e7828f974/File/kogomeliravuk.pdfIn PDF document text
    • https://outsourcedbackoffice.co.uk/wp-content/plugins/super-forms/uploads/php/files/6e061d26824b9f6e60e29cecbdf6b4fa/15310011937.pdfIn PDF document text
    • https://alshamiltrading.com/alshamilfiles/file/mozimijopare.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cf95.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCF95 16196 bytes
SHA-256: 87990f6fe5c1e8279883bfb660edd6dbe819a47909792aecae2b97ab666f78fa

Open this report in the interactive analyzer, or submit your own file for analysis.