Malicious PDF — malware analysis report

Static analysis result for SHA-256 19d0d64201728852…

MALICIOUS

PDF

62.5 KB Created: 2021-04-29 12:25:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f1142d765018163ecdaf13c37adb1471 SHA-1: b2256ef9e424ad26e784a1f543a1cfbea473e4fa SHA-256: 19d0d64201728852dddce1592966f14cbe34d5a25e91ff805c23a94e43a12db9
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier. It functions as a link farm, containing numerous URLs pointing to compromised WordPress sites, likely intended to host phishing content or further malware. The presence of external URIs and link farm heuristics strongly suggests a malicious intent to redirect users to potentially harmful destinations.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8124

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://csom.cz/wp-content/plugins/super-forms/uploads/php/files/167436585e7535b8a66750c3c62f001a/67363008372.pdf
    • https://www.cfo-search.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608579ff7f12e---leritepijerafemedaperiv.pdf
    • http://paymentsbusiness.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1607b28a34cd8a---60003493693.pdf
    • https://www.hontoys.com.au/wp-content/plugins/super-forms/uploads/php/files/civgtue8pdtqh7ca5a8d5a2s00/80030031614.pdf
    • https://omomediacion.com/wp-content/plugins/super-forms/uploads/php/files/c302b9a9f0a49fcb3fbfb315022ca7d5/livekavelirepizevukub.pdf
    • http://www.brennholz-heinlein.de/wp-content/plugins/formcraft/file-upload/server/content/files/160836f07bb7ad---jaduvomefuto.pdf
    • http://skuplaptop.pl/wp-content/plugins/formcraft/file-upload/server/content/files/16076b50bd5498---1435381669.pdf
    • https://www.adcgrain.com/wp-content/plugins/super-forms/uploads/php/files/12f87c17a4f497e5b3f0c4275c78d6dd/63723861270.pdf
    • http://www.pirac.org/wp-content/plugins/super-forms/uploads/php/files/a10847e594927a7286be7102ba94448c/75800864391.pdf
    • http://botanicgardenscafe.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16076fa642fe8d---83522466722.pdf
    • http://www.linkkorea.co.kr/wp-content/plugins/formcraft/file-upload/server/content/files/1607a775196fa7---59555485530.pdf
    • http://middlegeorgiacoinclub.com/wp-content/plugins/formcraft/file-upload/server/content/files/16076df9cc5923---4888880798.pdf
    • https://voicelux.ru/wp-content/plugins/super-forms/uploads/php/files/a96f93650a59a25ab8d917160582dfe3/fezowexomexelokusajasune.pdf
    • https://n95america.com/wp-content/plugins/super-forms/uploads/php/files/93f51ea2036c35690496ed644949cb70/3167815765.pdf
    • http://ganan10.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/1606c97fa85093---vetoton.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/Uplcv/~3/ngfLrbzwjls/uplcv?utm_term=free+printable+alphabet+bunting+template
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d9c0.bin
5a618a766da452ccc923e45b195529610ddba12498a2530a7a0fbc95961d84aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD9C0 5152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.