Malicious PDF — malware analysis report

Static analysis result for SHA-256 1662174b304756be…

MALICIOUS

PDF

78.2 KB Created: 2021-09-09 11:29:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: b79cc66e25a276334cec0f7bb6224b64 SHA-1: c1edf7d16dfbf4cb5140c69465caede022b91223 SHA-256: 1662174b304756bee0b4d8d40a6ba20f844eb3435b8b74b350b0ec610833d5ff
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file is identified as malicious by ClamAV with a 'Pdf.Phishing.Trojan' signature. Static analysis reveals it functions as a link farm, directing users to multiple compromised or disposable hosting sites. The presence of numerous PDF links and the use of compromised CMS upload storage indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2980

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://chieucoingason.vn/files/33340660323.pdf In PDF document text
    • http://afghansolar.com/userfiles/file/folemug.pdfIn PDF document text
    • http://vaness-sens.fr/ckfinder/userfiles/files/5155244719.pdfIn PDF document text
    • http://www.cheapmotorcycleinsurancepa.com/wp-content/plugins/super-forms/uploads/php/files/cd651323dd0ecbc3bae469e288f42759/xobedufomovinugijibag.pdfIn PDF document text
    • http://thefarmatarapahoecounty.com/userimages/85907092331.pdfIn PDF document text
    • https://theelementrama9.com/userfiles/files/xisirovuduwifedoxojubosul.pdfIn PDF document text
    • https://gsm.company/ckfinder/userfiles/files/11522077032.pdfIn PDF document text
    • https://onhimalayas.com/ckfinder/userfiles/files/18697583045.pdfIn PDF document text
    • https://kingbakerypans.com/userfiles/file/84642578230.pdfIn PDF document text
    • https://aldea.work/wp-content/plugins/super-forms/uploads/php/files/0535a2b4523e819b70d026c50f16790c/20739982522.pdfIn PDF document text
    • http://eikenhorstgroep.nl/userfiles/file/15378703273.pdfIn PDF document text
    • https://etravelbox.com/scgtest/team-explore/uploads/files/64221250219.pdfIn PDF document text
    • https://ohligschlaeger-berger.de/wp-content/plugins/formcraft/file-upload/server/content/files/1613575b196a01---46240991469.pdfIn PDF document text
    • http://sportingclubalbinia.eu/userfiles/files/siworirejomejo.pdfIn PDF document text
    • https://doublehaircenter.com/upload/ckfinder/files/39069115935.pdfIn PDF document text
    • http://www.infranetltd.com/wp-content/plugins/formcraft/file-upload/server/content/files/16131d88f356f3---34128727837.pdfIn PDF document text
    • https://pnp-studio.com/fckeditorfiles/file/pujanox.pdfIn PDF document text
    • http://silver1979.com/upload/file/91757296718.pdfIn PDF document text
    • http://saiprogetti.net/userfiles/files/leluravupa.pdfIn PDF document text
    • http://hooleihomes.com/cms_images/file/54072999294.pdfIn PDF document text
    • http://bfr-bialapodlaska.pl/userfiles/file/89837748999.pdfIn PDF document text
    • https://dichvumayphoto.vn/webroot/img/files/53069146434.pdfIn PDF document text
    • http://abwhopewell.com/uploads/files/87098596614.pdfIn PDF document text
    • http://qianxi.cn/filespath/files/20210905062952.pdfIn PDF document text
    • https://praktijk-fix.nl/userfiles/image/file/68296350085.pdfIn PDF document text
    • https://www.borzabadi.com/ckfinder/userfiles/files/lezisegugabalexarox.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/YTWXjIUwRh0/uplcv?utm_term=temple+run+2+volcanoPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea90.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEA90 16956 bytes
SHA-256: c9c607c658349747d258b53f77436a1a1df0863635fad8f811ae7a2028dcaf08
font_01_sfnt_off00011669.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11669 10424 bytes
SHA-256: 482b86a2740046a4da56178db247967f0330809b20db103af0ffa4090f61c079