Malicious PDF — malware analysis report

Static analysis result for SHA-256 1599cae3fa277c2f…

MALICIOUS

PDF

75.0 KB Created: 2021-06-10 20:15:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-22
MD5: 3a2bc4e9e3a6ec5dbb66fdfce235ccaf SHA-1: ac0f32741a8a4a37314fba33f3aa382338e98aeb SHA-256: 1599cae3fa277c2f016431024a89b32cde6f5875ea95312dab6078cde957de32
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm, many hosted on compromised CMS upload directories. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8745

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crysiq.ru/uplcv?utm_term=so+pillai+solid+state+physics+pdf+download PDF link annotation
    • https://beaufortbond.com/wp-content/plugins/super-forms/uploads/php/files/c69fd761b0141fb38d835db8119d3e2b/punikug.pdfIn PDF document text
    • https://robinio.de/wp-content/plugins/super-forms/uploads/php/files/2fted02j24ju928fpjfefns8qu/16551091713.pdfIn PDF document text
    • http://www.rlktechniek.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1606f0e066e879---renodado.pdfIn PDF document text
    • https://www.novet.de/wp-content/plugins/formcraft/file-upload/server/content/files/160b931013b95b---tarupupozarumavivaxopopi.pdfIn PDF document text
    • https://allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/9e3b0f95651676792584ce969ed06432/tusabujon.pdfIn PDF document text
    • https://pabausa.org/wp-content/plugins/formcraft/file-upload/server/content/files/1606fa5495c366---21180338360.pdfIn PDF document text
    • https://precisionautoandac.com/wp-content/plugins/super-forms/uploads/php/files/f46206288d14c9d421801ab8928365fc/sofilaka.pdfIn PDF document text
    • http://principessavencanice.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d4d961f615---33442691992.pdfIn PDF document text
    • https://mediabandit.com/wp-content/plugins/formcraft/file-upload/server/content/files/16080e9aa7c9e0---xojas.pdfIn PDF document text
    • http://www.putnamtaxi.net/wp-content/plugins/formcraft/file-upload/server/content/files/16078114b6d0bc---zupetipaviwide.pdfIn PDF document text
    • https://growmytruck.com/wp-content/plugins/super-forms/uploads/php/files/6a35a3fa91d163c1290f53c276f722b2/wujibosixefapuzafovo.pdfIn PDF document text
    • http://gingerwooddesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608f06e60cc1f---bifowogisi.pdfIn PDF document text
    • http://1utilaje.ro/mm/file/13775729069.pdfIn PDF document text
    • http://greaterdeliveranceministries1.com/clients/61527/File/63884992691.pdfIn PDF document text
    • http://doubletroubels.com/wp-content/plugins/formcraft/file-upload/server/content/files/160773b3b6a642---43476085981.pdfIn PDF document text
    • https://sevsport.info/wp-content/plugins/super-forms/uploads/php/files/59a0b80007b3609752e855ece8bb38ac/8091653872.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df68.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDF68 3956 bytes
SHA-256: 73b7148b2f11823810de04da2c998b85c890408f8ec20ae312e8b73eeabd392c
font_01_sfnt_off0000ed69.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xED69 5232 bytes
SHA-256: 6627c3e4d20716c4fbd9c9541d8904bd0c5889c66579537c8d4200d0a9a7d540
font_02_sfnt_off0000ff38.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFF38 11420 bytes
SHA-256: ed32ac2f05dc7de797f11a1e4b5489a9092922517228be1ad5fbcfcd023246c2