Malicious PDF — malware analysis report

Static analysis result for SHA-256 18fa7ff62454bc9f…

MALICIOUS

PDF

77.9 KB Created: 2021-05-12 15:49:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-25
MD5: dd7ef2b1ac866d9b47aae50692508eb3 SHA-1: c9157c03ee486a1f750ec9ad6fc4e4bfa9a8a096 SHA-256: 18fa7ff62454bc9f536d595bfade38c560c9dc7c9a6f155fb7f41f4eeed5af0c
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous links, many pointing to compromised WordPress sites and disposable hosting, suggesting a link farm used for phishing or malware distribution. The document body, though heavily obfuscated, appears to reference a datasheet, likely a lure to encourage users to click the embedded malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9746

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://prikolnaya.com/wp-content/plugins/super-forms/uploads/php/files/29f430f7939f884df5d5f7c018f39543/47818529019.pdf In PDF document text
    • https://holzhaus-suedtirol.it/wp-content/plugins/formcraft/file-upload/server/content/files/1606f389e26c5b---65121133651.pdfIn PDF document text
    • https://www.gml.de/wp-content/plugins/formcraft/file-upload/server/content/files/160738559c9f55---94717523465.pdfIn PDF document text
    • http://aksaxena.com/bpms/includes/fckeditor_uploads/userfiles/file/50549763607.pdfIn PDF document text
    • https://amezdigital.com/wp-content/plugins/super-forms/uploads/php/files/8b48327175892cb2eb92cca83905b833/zakujemixajawugupo.pdfIn PDF document text
    • https://minutesnap.com/wp-content/plugins/super-forms/uploads/php/files/082914b9224c9806187e5c9dad8d9c44/dowijavuvubimixirifagi.pdfIn PDF document text
    • http://jtour.vn/userfiles/file/pokubekifapamizunizejena.pdfIn PDF document text
    • https://ethiquedevelopers.com/wp-content/plugins/super-forms/uploads/php/files/affc272eb80fb4dc55dfa92a6335340d/vuribodowewufelomiwutux.pdfIn PDF document text
    • http://www.oknookna.pl/wp-content/plugins/formcraft/file-upload/server/content/files/1606d001d1716c---40345026891.pdfIn PDF document text
    • https://amesmedicalservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072d9d57acbf---54005137304.pdfIn PDF document text
    • https://bluebeakbranding.com/wp-content/plugins/super-forms/uploads/php/files/da15d4195bf6d4e25e863e074d7a173d/17081487842.pdfIn PDF document text
    • http://amwordpress.org/wp-content/plugins/formcraft/file-upload/server/content/files/16078962d4170a---6745709414.pdfIn PDF document text
    • https://adiwirawanbali.com/wp-content/plugins/super-forms/uploads/php/files/3f3c098f0dfde877d290321a1ffd5e6b/botawasavuwup.pdfIn PDF document text
    • http://abpaluso.com/upload/file/91571459190.pdfIn PDF document text
    • http://copy2d.com/ftp/image/file/49029047331.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1KS0DP0cxss/uplcv?utm_term=gsm+modem+sim900a+datasheetPDF link annotation
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fbbb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFBBB 5264 bytes
SHA-256: 3de92eb794a92dcb9e9e469bcc8ee714dae6d1dbef740f9ba96c437ea0e0ed1f
font_01_sfnt_off00010d72.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10D72 11676 bytes
SHA-256: 095c835d6b66b6feef789ae86dbea180d61bdffbd1a1adb352bd20da5bebde01