Malicious PDF — malware analysis report

Static analysis result for SHA-256 16556da6f6bd182a…

MALICIOUS

PDF

96.0 KB Created: 2021-07-20 18:50:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-16
MD5: cef4c9f5bb0c92f40879c6ad2c0b4981 SHA-1: fb15be46f3de526c99d98ca42daea781c7679b65 SHA-256: 16556da6f6bd182a03683cfc5745db20cf419f82ebd7351d74211da518af2026
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and an ML classifier. It contains a link farm pointing to multiple compromised WordPress upload directories, suggesting an attempt to host malicious content or phishing lures. The presence of numerous links on disposable or compromised hosting indicates a tactic to obscure the ultimate destination and evade detection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5002

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bascobrunswick.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1608149e3c0868---rotawumijafu.pdf In PDF document text
    • https://oiweld.com/wp-content/plugins/super-forms/uploads/php/files/3a844e25818db514381ad1af234836d2/vipiropiripawejawovur.pdfIn PDF document text
    • http://szao-spb.ru/images/news/file/56492753092.pdfIn PDF document text
    • http://yaqeen-eg.com/userfiles/file/seroradizewoxafokida.pdfIn PDF document text
    • http://www.onegelha.com/wp-content/plugins/super-forms/uploads/php/files/63534c237b45c8fa9f17fabf96a395d6/wavureluxepepizigagulud.pdfIn PDF document text
    • http://fdscience.com/UPFILE/userfiles/files/gowobiwori.pdfIn PDF document text
    • http://www.medicalalliedtraining.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bb634678332---ledobuneraw.pdfIn PDF document text
    • http://softwarefactory.nl/images/file/91266091274.pdfIn PDF document text
    • http://amdind.com/userfiles/file/99864592523.pdfIn PDF document text
    • http://fortlauderdalelimorental.net/wp-content/plugins/formcraft/file-upload/server/content/files/160e767de87756---robulexuvavokumujojuj.pdfIn PDF document text
    • http://amdind.com/userfiles/file/62252849072.pdfIn PDF document text
    • http://land89.com/ckupload/files/danuw.pdfIn PDF document text
    • https://allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/121faf7d775972c70f7a85ccbf51175d/bakuzuruzadinopegasazufuj.pdfIn PDF document text
    • http://rheumatology.institute/upload/content/file/68701964319.pdfIn PDF document text
    • http://webinaris.org/ckfinder/userfiles/publics/files/rabutezazeraxaz.pdfIn PDF document text
    • http://merwepizza.com/upload/file/40046679944.pdfIn PDF document text
    • https://greshamgilessalon.com/wp-content/plugins/super-forms/uploads/php/files/6adba9c60a13bd7326f3d5a6d90eac2e/fevuvawu.pdfIn PDF document text
    • http://www.dadosefatos.net.br/wp-content/plugins/formcraft/file-upload/server/content/files/16092322a7491b---gifupupas.pdfIn PDF document text
    • http://industrialdevices.in/uploads/35805088159.pdfIn PDF document text
    • http://sumnerclassof1976.com/clients/4/49/49b54eafcc86ae0c30eb104ab8b91c7c/File/rolab.pdfIn PDF document text
    • http://ilksolar.com/Images/Media/files/53227891578.pdfIn PDF document text
    • http://arabic.cz/ckfinder/userfiles/files/53702477803.pdfIn PDF document text
    • http://bagpack.com.np/wp-content/plugins/formcraft/file-upload/server/content/files/160cd4c241607f---54966341041.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/GLLx1DTH0VQ/uplcv?utm_term=what+is+the+greatest+common+factor+of+40+and+16PDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000128f6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x128F6 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0001410d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1410D 11288 bytes
SHA-256: 81fa063affd147c06e6785fb739894add64fc6cb6af94c2b094d65cbcda42bef
font_02_sfnt_off00015b4d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15B4D 2640 bytes
SHA-256: 7cf5e381cd3e347f7ebbe440b63fcfb248ab18f789b7055ec012db775b253341