Malicious PDF — malware analysis report

Static analysis result for SHA-256 1b541b68895d4990…

MALICIOUS

PDF

70.2 KB Created: 2021-09-07 08:26:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 5b41a2e1a377429a1a2d89abfe9e32f7 SHA-1: 2661ecd9b9665d45eb78e592464280671f248aed SHA-256: 1b541b68895d4990ee450f0df7148c34c9737014d1806d300c1ddacd40a3586e
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and numerous external links, many pointing to compromised websites or disposable hosting, indicating a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly suggest malicious intent. The embedded JavaScript likely facilitates the redirection to malicious URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8257

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://garglob.ru/uplcv?utm_term=invertebrate+worksheets+for+3rd+grade
    • https://sogelec-eng.com/files/ckfinder/files/vananasatalatu.pdf
    • http://ajmason.com/admin/ckfinder/userfiles/files/37979424035.pdf
    • http://pferdefreunde-brueckenhof.de/sites/default/files/userfiles/file/duzopuxatiralar.pdf
    • https://eyescare.vn/app/webroot/upload/ckfinder/files/60292202871.pdf
    • https://aiaciran.org/cache/fck_files/file/25397144553.pdf
    • http://purepoem.com/resource/docContentImg/file/2021-08-25/871be08df8b4b841b5a798e68d04eb1f.pdf
    • https://istanajpdua.com/contents//files/letomaj.pdf
    • https://biomedchita.ru/imeg_master/file/vuwamuvedazelubejez.pdf
    • https://wcdt.co.th/wp-content/plugins/super-forms/uploads/php/files/ucd998824dlu715fd1pjmart2m/zoxupul.pdf
    • http://iltorg.ru/upload/file/66642506182.pdf
    • http://www.victorian-manor.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160b775ae49d38---bikukakewokaruweti.pdf
    • https://psiakocky-potisk.cz/webpagebuilder/ckfinder/userfiles/files/46498003949.pdf
    • https://daks-96.com/f/uploads/files/29120550617.pdf
    • http://www.fsnn.se/wp-content/plugins/formcraft/file-upload/server/content/files/1608b2159f3de5---zeporapowosexolip.pdf
    • http://mpwlawpa.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/25330585991.pdf
    • http://www.studiolegalefusimorelli.com/wp-content/plugins/formcraft/file-upload/server/content/files/160765cfc060e9---57386684991.pdf
    • http://tlw.ro/UserFiles/file/51591407033.pdf
    • http://lexus-custom.com/js/upload/files/simaxalujitibaxidibenetin.pdf
    • https://adbetelparaguay.com/wp-content/plugins/super-forms/uploads/php/files/2a80be325f2a3a371eaf72bc85f2ff42/mavifusedudagogizugakitap.pdf
    • https://12shio1.com/contents//files/muvekise.pdf
    • http://balassalaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/72873585617.pdf
    • http://futurepoolandspa.com/ckfinder/userfiles/files/vobijuwexafigakuf.pdf
    • http://fecirturizm.com/resimler/files/57018335515.pdf
    • http://stavclearing.ru/upload/files/42567907037.pdf
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c702.bin
935cc95cc9f228a302b40b9c4482b771e47a4e877d6f605b666cb9297c7d9959		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC702 17348 bytes
font_01_sfnt_off0000f42a.bin
8bce7bdc66e99f1b8af639ce032c21cb3ad6995de1c17bab95761cf46d026f54		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF42A 11000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.