Malicious PDF — malware analysis report

Static analysis result for SHA-256 16f8e2ccdb642994…

MALICIOUS

PDF

67.8 KB Created: 2021-06-24 22:52:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: 11ec016d5d4dc8a6c6cb95c8b80c922c SHA-1: d1a849630f29099608a5a527d5b86b26a47f6d5a SHA-256: 16f8e2ccdb642994cdf556e769bd378f2c7c91ee926a9bcbafd513536957b3ea
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous URLs pointing to compromised WordPress upload directories, suggesting a link farm used for distributing malicious content or phishing. The document body, though heavily obfuscated, contains references to 'wkhtmltopdf' and 'Qt', indicating it was likely generated by a tool rather than being a legitimate document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9822

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.leesii.com/wp-content/plugins/formcraft/file-upload/server/content/files/16081cdd9a4c8a---pozogasos.pdf In PDF document text
    • https://www.helpagesl.org/wp-content/plugins/formcraft/file-upload/server/content/files/160b2f72aec761---51533808905.pdfIn PDF document text
    • http://manninareunion2012.com/clients/0/03/03b30fdf9aaeeba733afadbef254ff7b/File/61206859889.pdfIn PDF document text
    • https://ecef-groupe.com/wp-content/plugins/super-forms/uploads/php/files/oa8pjgs0jftbseiorcgg8midq0/98951076276.pdfIn PDF document text
    • http://www.majorisinvestimentos.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1606d493096299---jorebelakuxebedijewozit.pdfIn PDF document text
    • http://www.goldenlantern.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1608f50545a2d1---52132378699.pdfIn PDF document text
    • https://brusroom.com/wp-content/plugins/super-forms/uploads/php/files/02df0bb2b2f551e2e0043f4804ddb808/lizubafaguzumomupupagu.pdfIn PDF document text
    • https://www.truesdalepainting.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d545ac643d---gavawe.pdfIn PDF document text
    • https://evg-prague.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160b4d0895040a---kabezezasetigoxune.pdfIn PDF document text
    • https://canadiancontractorservices.com/wp-content/plugins/super-forms/uploads/php/files/0s44ahm5m9e98n2c4urj1cjcv1/dumazov.pdfIn PDF document text
    • http://xn--80aamdqpfpr.xn--p1ai/upload_picture/33963007925.pdfIn PDF document text
    • https://www.kngroup.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607450444ea15---rorifubavogid.pdfIn PDF document text
    • http://vejwun.cz/images/10685883536.pdfIn PDF document text
    • https://razvozka24.ru/wp-content/plugins/super-forms/uploads/php/files/c90f65a78c011c8b6b90aecf015787c1/begelekisekosonejiwuxox.pdfIn PDF document text
    • https://dialogueinpraxis.net/files/docs/jujup.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/YTWXjIUwRh0/uplcv?utm_term=duke+ellington+nutcracker+suite+pdfPDF link annotation
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000deb0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDEB0 5388 bytes
SHA-256: fd711754262cf2e2e8190d74afe7edd6889f38045bb985b4a7f66004cacf2552
font_01_sfnt_off0000f11e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF11E 10664 bytes
SHA-256: 01d43a68836e98d20953a2c10118f418fff85445b3530c1c6202141b2eebc1fe

Open this report in the interactive analyzer, or submit your own file for analysis.