Malicious PDF — malware analysis report

Static analysis result for SHA-256 1747ad9d31aff0b3…

MALICIOUS

PDF

74.8 KB Created: 2021-09-02 02:32:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-05
MD5: 12ec003b0b5130bcdf1b26b993b5d2d5 SHA-1: 00e318dc8b91ca58867e7a1345b156d8ff64667a SHA-256: 1747ad9d31aff0b314057e44762c7f9e627bbe86e29029ff58261bc3e82cc3bf
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded URLs, many of which point to compromised CMS upload directories, suggesting a phishing or malicious redirection scheme. The ClamAV detection and ML classifier further support its malicious nature. The file's primary function appears to be acting as a link farm to distribute traffic to potentially malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5474

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://huntic.ru/uplcv?utm_term=nordic+skiing+new+hampshire PDF link annotation
    • http://vetcasatenovo.it/userfiles/files/lisazazisok.pdfIn PDF document text
    • http://www.advokat.com/app/webroot/img/fck/file/fesazodobutu.pdfIn PDF document text
    • https://gpuhub.net/wp-content/plugins/super-forms/uploads/php/files/pfpl1hpfh0k3tl418ri9ehntv1/napokatujesikumezugiw.pdfIn PDF document text
    • http://kaufdeinauto.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607a939512ceb---76658236060.pdfIn PDF document text
    • http://solemarservizi.it/userfiles/files/57639533437.pdfIn PDF document text
    • https://cfi-registration.org/buzzboxgift/img/userfiles/files/839054749.pdfIn PDF document text
    • http://www.jfac.kr/ckfinder/userfiles/files/maxukavevidurifikajot.pdfIn PDF document text
    • http://a2itsolutions.com/chop/multimedia/userfiles/file/9656283351.pdfIn PDF document text
    • http://osullivanspressurewashing.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b8c16768fd6---sozurukulizoxo.pdfIn PDF document text
    • http://gostium.com/wp-content/plugins/formcraft/file-upload/server/content/files/160faf17d1096d---59774619567.pdfIn PDF document text
    • https://krono-original.vn/Images_upload/files/geziziwosa.pdfIn PDF document text
    • http://gzmzwl.com/Uploadfiles/files/79225604452.pdfIn PDF document text
    • http://imssp.by/data/images/fxeditor/file/97064452896.pdfIn PDF document text
    • http://svenstavik.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a4b049e3ae0---83393131779.pdfIn PDF document text
    • https://businesslife.com/content/file/jakifudekunirivup.pdfIn PDF document text
    • https://intelean.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c24687e2b14---35202261303.pdfIn PDF document text
    • http://jkmdc.com/aversystem.com/userfiles/file/99623557248.pdfIn PDF document text
    • http://jhdljz.com/userfiles/file/1624156547.pdfIn PDF document text
    • http://ddaengshop.com/ckupload/files/mikarolesilus.pdfIn PDF document text
    • http://fashioncenterpoint.com/wp-content/plugins/super-forms/uploads/php/files/d2480f3e97a7eb7287da237bae93e695/16112884787.pdfIn PDF document text
    • http://tribo.kz/userfiles/File/xexidizorirovuze.pdfIn PDF document text
    • https://simovi.mx/wp-content/plugins/formcraft/file-upload/server/content/files/160b49077721d6---resojotixofumaboxewosi.pdfIn PDF document text
    • http://ty6600.com/userfiles/file/89439219824.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df1b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDF1B 18188 bytes
SHA-256: 55920863d30363ced9fc2679cb9fdb58eea7d7e42e0b0de3afe1c162f04f53ab
font_01_sfnt_off00010e37.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10E37 10972 bytes
SHA-256: 14b4e13e038e66ed6556f09f1ac569410a5992ad83e572eaa85aee23f0fd1fe3