Malicious PDF — malware analysis report

Static analysis result for SHA-256 1505de0ee7dd394a…

MALICIOUS

PDF

70.3 KB Created: 2021-09-23 21:10:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: 3516d32a05313dcbc3eb1cfcdc62848a SHA-1: f9eb7df15f3aa62560cc3c698a0f53839580d2cf SHA-256: 1505de0ee7dd394ab7768e7598d3a94dc56e5ab7223bae08fc70e7d8098d2ed1
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file was detected as a phishing trojan by ClamAV. Static analysis revealed numerous embedded URLs, many pointing to compromised WordPress sites or disposable hosting, suggesting a link farm designed to redirect users to malicious content. The presence of external URI and link farm heuristics strongly indicates a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4539

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://oniceh.ru/uplcv?utm_term=powerdirector+premium+apk+free+download PDF link annotation
    • http://yasairamenbar.com/uploads/files/miveri.pdfIn PDF document text
    • http://1-sanya.com/blog_images/blog_/file/90648803203.pdfIn PDF document text
    • http://www.altrus.pl/wp-content/plugins/formcraft/file-upload/server/content/files/161350c93d6d99---52813089916.pdfIn PDF document text
    • https://vresponse.net/userfiles/file/kuxutekupibaz.pdfIn PDF document text
    • http://webs123.com/userfiles/file/pagenoniw.pdfIn PDF document text
    • https://jaukiaplinka.lt/ckfinder/userfiles/files/kawepazuju.pdfIn PDF document text
    • http://mamnonkitty.com/webroot/img/posts/files/69793373146.pdfIn PDF document text
    • http://tksvolga.ru/userfiles/file/dewefogemilobop.pdfIn PDF document text
    • http://nktrading.qa/file/files/96044548747.pdfIn PDF document text
    • http://jjw-led.com/userfiles/file/sutaderosun.pdfIn PDF document text
    • http://phongkhamthienhoa.org/images/files/popewulakap.pdfIn PDF document text
    • http://evrokomplekt.ru/userfiles/file/zurutojumobaf.pdfIn PDF document text
    • https://bilegt.mn/userfiles/files/vumokokax.pdfIn PDF document text
    • https://f27szerviz.hu/upload/files/raxijodirekare.pdfIn PDF document text
    • http://nutronicltd.com/userfiles/file/43387466284.pdfIn PDF document text
    • http://hawaiisushi.iorderfoods.com/uploads/files/41671819830.pdfIn PDF document text
    • http://asiancfea.org/userfiles/file/3374578909.pdfIn PDF document text
    • https://australiancaravancentre.com.au/application/third_party/ckfinder/userfiles/files/83974328201.pdfIn PDF document text
    • http://roland-toys.eu/userfiles/file/2486493247.pdfIn PDF document text
    • https://www.enviedecrire.com/wp-content/plugins/formcraft/file-upload/server/content/files/1614c947514daf---35050149636.pdfIn PDF document text
    • http://chagatea.ru/wp-content/plugins/super-forms/uploads/php/files/b6aee8dcaa3084a151f007d343a9799c/lisamo.pdfIn PDF document text
    • http://gorisum.net/fckeditor/upload_file/file/17765329559.pdfIn PDF document text
    • http://redactron.com/userfiles/file/63680708400.pdfIn PDF document text
    • https://inprovitperu.com/ckfinder/userfiles/files/xugepegusilerizagulasutex.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cc11.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCC11 10892 bytes
SHA-256: f15230bb2c2c926e6c2ba030d949a062316978bd4af03b0bcbee55fe20842633
font_01_sfnt_off0000e54f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE54F 17408 bytes
SHA-256: a97c128dd391bcc2b52a05e7e885682f38bac5792fb0209c2c71c130041c7ed0