Malicious PDF — malware analysis report

Static analysis result for SHA-256 19142dcb7c0f8f78…

MALICIOUS

PDF

72.0 KB Created: 2021-09-15 15:11:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-24
MD5: f1744d1ae2c7af9191dd38a740b42ec5 SHA-1: 09fd6395ba3b40864bc4def4297cb0b18e8a30ae SHA-256: 19142dcb7c0f8f78b0c705d858c64e3ce6d01f07cfcedd8a5c7c812b9d5f5241
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a 'Pdf.Phishing.Trojan' signature. Static analysis reveals numerous embedded URLs, many of which are hosted on compromised or disposable domains, suggesting a link farm designed to redirect users. The presence of 'utm_term' parameters in some URLs indicates a phishing or spam campaign context.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4326

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://philabc.ru/uplcv?utm_term=mcq+research+methodology+pdf PDF link annotation
    • http://rooptex.com/uploads/12496328248.pdfIn PDF document text
    • https://lose-weight.tw/upload/files/fifemofefuloj.pdfIn PDF document text
    • http://orderleesushi.com/uploads/files/dupefazisilotiropo.pdfIn PDF document text
    • http://szybkieprawko.pl/szybkieprawko.pl/user/admin/fck/file/viruduwaxilugu.pdfIn PDF document text
    • http://kerekagy.hu/UserFiles/file/92016306432.pdfIn PDF document text
    • http://gibisch.org/files/files/bufadixiwajaxop.pdfIn PDF document text
    • http://drinkandshrink.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1613faecae8724---25917525727.pdfIn PDF document text
    • https://icoachyou.biz/images/ckeditor/files/37312769793.pdfIn PDF document text
    • https://www.pietri-automobiles.com/wp-content/plugins/super-forms/uploads/php/files/53pt0iruchb8h62v4hvcpsene1/pufoketitugidezexalexej.pdfIn PDF document text
    • http://finpacecuador.com/userfiles/file/xopew.pdfIn PDF document text
    • http://ayrh.internet-match.com/upload/files/nuvomedoresetuv.pdfIn PDF document text
    • http://vibrobeton.by/pics/files/turareboxejuxofemikeket.pdfIn PDF document text
    • http://restaurant-lyons.fr/userfiles/file/89103632961.pdfIn PDF document text
    • http://oryginalnedekoracje.pl/userfiles/file/jojanirakojege.pdfIn PDF document text
    • http://gotoippc.com/ckfinder/userfiles/files/17314595963.pdfIn PDF document text
    • http://fu-xin.tw/uploads/files/202109040759231835.pdfIn PDF document text
    • https://miamiuniquelimo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1612f3ed647d79---logeziwaxisejokufe.pdfIn PDF document text
    • http://nature-revive.org/files/file/lafusomakazex.pdfIn PDF document text
    • https://gpuhub.net/wp-content/plugins/super-forms/uploads/php/files/maeppdcqcbfbem33hfutito8ml/65026985722.pdfIn PDF document text
    • http://nanouklid.cz/upload/file/sovabunivagisov.pdfIn PDF document text
    • http://yaqeen-eg.com/userfiles/file/saxoduruwobagivogidakanu.pdfIn PDF document text
    • https://perfecthospital.net/FCKeditor/file/nedasulakobotejif.pdfIn PDF document text
    • https://fototipia.hu/files/files/joweda.pdfIn PDF document text
    • https://geniodelweb.com/file/97920727842.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d677.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD677 17400 bytes
SHA-256: 5404cdb447e96418e90a123ff262d831f69e036ce01aa1b0760e323a5d83bbce
font_01_sfnt_off0001032d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1032D 11124 bytes
SHA-256: 08bb88fb2e268d4a26c9fa8098147e91531cba5205e2417f6d6b378ec9902828