Malicious PDF — malware analysis report

Static analysis result for SHA-256 19aacb7633e8bebc…

MALICIOUS

PDF

73.7 KB Created: 2021-08-12 22:50:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: b4db534e30f20b0efbb99bc41192c422 SHA-1: 0d16d996c0704bd005bbd20ae77547497d869607 SHA-256: 19aacb7633e8bebc01b9580a24c34403e379c96575e84f9158a82b0d86358c48
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF document identified as malicious by ClamAV and an ML classifier. It contains numerous embedded URLs, many of which point to compromised WordPress sites, suggesting a link farm designed to redirect users to malicious content. The presence of these links and the overall structure indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9720

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://huntic.ru/uplcv?utm_term=who+is+the+god+of+destruction+of+universe+13 PDF link annotation
    • https://californiaoptionsrealestate.com/wp-content/plugins/super-forms/uploads/php/files/71117252703ae36a78c9fa294ed50480/60243766070.pdfIn PDF document text
    • https://rjiminfra.com/wp-content/plugins/super-forms/uploads/php/files/03b7d1ad09e427fbc069aa5b5fc82d41/farerex.pdfIn PDF document text
    • http://bulk-supplies.com/userfiles/file/wavoluwafigafisetife.pdfIn PDF document text
    • http://eske.hu/wp-content/plugins/formcraft/file-upload/server/content/files/16079fb73b9463---ravubuzafajewonuxitiwos.pdfIn PDF document text
    • http://www.dadosefatos.net.br/wp-content/plugins/formcraft/file-upload/server/content/files/1609553ce79166---1611113923.pdfIn PDF document text
    • https://webmodeli.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bc7c6a1557e---tukawavesalep.pdfIn PDF document text
    • https://amrapalispot.com/userfiles/file/mawuwazapevizewitaw.pdfIn PDF document text
    • http://lotusburbank.com/uploads/files/wazupajoxu.pdfIn PDF document text
    • http://aite-materials.com/upfiles/file/mavoxo.pdfIn PDF document text
    • https://penzionradvanice.cz/res/file/57937343793.pdfIn PDF document text
    • http://www.cafeinca.com/img/public/contenido/file/30162326866.pdfIn PDF document text
    • https://travels-ukraine.com/wp-content/plugins/formcraft/file-upload/server/content/files/160717ab7a2157---12280641147.pdfIn PDF document text
    • https://notofthisgalaxy.com/wp-content/plugins/super-forms/uploads/php/files/o6frkmrm14k7ev0ns5bd4sdq0d/nibixuvux.pdfIn PDF document text
    • http://mirembeestate.co.ug/wp-content/plugins/formcraft/file-upload/server/content/files/160c5a0af54133---21957467687.pdfIn PDF document text
    • http://mountmedpharmacy.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160a3a694a857d---99998076957.pdfIn PDF document text
    • https://goodline.by/userfiles/file/vedepode.pdfIn PDF document text
    • https://ltgtrends.com/wp-content/plugins/super-forms/uploads/php/files/605866a8198dde71caec241b9737f185/xodivu.pdfIn PDF document text
    • http://srsheicha.com/uploadfile/file/sudarajapef.pdfIn PDF document text
    • http://terapeutickemasaze.eu/wp-content/plugins/formcraft/file-upload/server/content/files/1606d63bccfe90---27713359269.pdfIn PDF document text
    • https://kisikana.hr/userfiles/file/mozajagetoz.pdfIn PDF document text
    • https://mikepromedia.com/wp-content/plugins/super-forms/uploads/php/files/5j85ih53gshd3ut8s4an83ddq6/91462649774.pdfIn PDF document text
    • http://www.atrium-tuiles.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608ebb18c8bc5---42802533811.pdfIn PDF document text
    • http://droprint.my/home/ququ4923/public_html/userfiles/file/moniwekulepinirebene.pdfIn PDF document text
    • http://ruihuitax.com/files/file/nevapusini.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f3bd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF3BD 17460 bytes
SHA-256: 3b9b7398cbdd992f79fb008f61f5f04643ea1a530fc579224948c1378e562267