Malicious PDF — malware analysis report

Static analysis result for SHA-256 146bca7c878e52ff…

MALICIOUS

PDF

197.2 KB Created: 2021-08-25 04:43:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: f6ff975492a0da8d1152ebf434916cca SHA-1: 55dc97646c00abc860088a6f47779c0a3de73496 SHA-256: 146bca7c878e52ffd1bcb228d7a60b8c9e1a13f0927c34801821928413f59ae6
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. The embedded URLs and the 'PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM' heuristic indicate that the document directs users to compromised WordPress sites, likely to host malicious content or phishing pages. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://medvor.ru/uplcv?utm_term=it+department+meaning PDF link annotation
    • http://msslink.ru/userfiles/files/jimefokeguwubogoturid.pdfIn PDF document text
    • https://soba05.org/wp-content/plugins/super-forms/uploads/php/files/081f1db5e68a950f7856b23356c867fc/48860082319.pdfIn PDF document text
    • https://aliencosmicexpo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d35f635caa4---xegopukafozofuwipatabaz.pdfIn PDF document text
    • http://protech.com.ng/wp-content/plugins/formcraft/file-upload/server/content/files/16071741032a58---zamononabu.pdfIn PDF document text
    • https://corianderedmonton.com/ckfinder/userfiles/files/42018381698.pdfIn PDF document text
    • https://ustunbilgisayar.com/userfiles/files/86459903993.pdfIn PDF document text
    • http://air-con.ru/upload/files/tekibelekedunelava.pdfIn PDF document text
    • https://winston-woodward.com/wp-content/plugins/super-forms/uploads/php/files/7b04a5760b9d6b55de4a21c67acb539c/67645275456.pdfIn PDF document text
    • https://hmv.ir/wp-content/plugins/formcraft/file-upload/server/content/files/16099f4cb79fe1---47622705876.pdfIn PDF document text
    • https://blackknowledge.com/wp-content/plugins/super-forms/uploads/php/files/c9ebb373bbc10d74f2b590d49dc2c3d1/93558784254.pdfIn PDF document text
    • https://cms.blauraum.com/wp-content/plugins/super-forms/uploads/php/files/72ffb82f27c43aa7ba923388e4668ed2/78794271660.pdfIn PDF document text
    • http://muszempilla.com/files/file/lezim.pdfIn PDF document text
    • http://thechelseaff.com/user_uploads/files/roxolefimobolesu.pdfIn PDF document text
    • http://www.circoloaletrium.it/wp-content/plugins/formcraft/file-upload/server/content/files/160ac79ee85f2f---74937902444.pdfIn PDF document text
    • http://friluftsgruppen.se/wp-content/plugins/formcraft/file-upload/server/content/files/16080e90493f14---pepovezekudan.pdfIn PDF document text
    • https://amezdigital.com/wp-content/plugins/super-forms/uploads/php/files/546bc40bcd2e6bea10816c816df5cc80/99153856131.pdfIn PDF document text
    • https://phase1acoustics.com/wp-content/plugins/formcraft/file-upload/server/content/files/160df6a59c64a8---44008031473.pdfIn PDF document text
    • https://www.sodigital.it/wp-content/plugins/formcraft/file-upload/server/content/files/160a2ae005f66b---67248431677.pdfIn PDF document text
    • http://smartcookieacademy.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606ca56d1b0ed---rowelufuvujakowamer.pdfIn PDF document text
    • https://www.areatransfers.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608c9d1f0e7af---fotomodomi.pdfIn PDF document text
    • https://eastmanllc.com/ckfinder/userfiles/files/18775533764.pdfIn PDF document text
    • http://gld-lining.com/user_img/files/20977060689.pdfIn PDF document text
    • https://alismobile.co.uk/wp-content/plugins/super-forms/uploads/php/files/9da23d2942d509044873ebaf4d707961/bajijefam.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.