Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d847d28e4bc1a26…

MALICIOUS

PDF

84.5 KB Created: 2021-06-20 10:12:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-16
MD5: e1d672a415b5c601d895228b74751a43 SHA-1: 75db2c9fd45e60361a4ca9f2aab55728a3089977 SHA-256: 1d847d28e4bc1a26749646a72d10572ea259a26b39699d6b8b44ddc821edcd39
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file is identified as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains numerous links to external PDF files hosted on compromised websites, suggesting a link farm designed to distribute malware. The document body, though heavily obfuscated, implies a lure for downloading a specific PDF, aligning with a phishing attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8271

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.fifatravels.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b24cd788bcb---gajiwid.pdf In PDF document text
    • http://apexnepaltravel.com/userfiles/file/kamoguse.pdfIn PDF document text
    • https://atraba-holding.com/userfiles/file/bibewigagogaduji.pdfIn PDF document text
    • http://bscartridge.com/pic/lalizezuno.pdfIn PDF document text
    • https://www.modianodesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/160896128ec82c---didezaresivekiginel.pdfIn PDF document text
    • https://www.traveltimevipp.com/wp-content/plugins/super-forms/uploads/php/files/1e3cb596b3c247d60d04700bf93e2277/81072035118.pdfIn PDF document text
    • https://www.plsok.com/wp-content/plugins/super-forms/uploads/php/files/018d10e465077b5051eaf4da1c44a3da/pubiwuxajigufesopagoveni.pdfIn PDF document text
    • http://www.kocay.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160c122fe6368d---15383971611.pdfIn PDF document text
    • https://www.mercedesbenzofaustinservice.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f8860a0486---kagokaveguri.pdfIn PDF document text
    • https://pinotcar.com/wp-content/plugins/super-forms/uploads/php/files/63f352a92fae70d0135f5ba7d83831f5/19439512506.pdfIn PDF document text
    • https://www.cukoyem.com.tr/wp-content/plugins/super-forms/uploads/php/files/mcles3a40qp0ot6f4k2kq113k3/wukatepipapozinozo.pdfIn PDF document text
    • https://diversified-nj.com/wp-content/plugins/super-forms/uploads/php/files/2c75d6ef3e79b9d2a85f710151262290/xisexumipedix.pdfIn PDF document text
    • http://jeugdopdewetenschapsagenda.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1609c7fe3c5b28---gapofukijason.pdfIn PDF document text
    • http://sieckultury.pl/wp-content/plugins/super-forms/uploads/php/files/d3b2dc93f9911f5786ac85125e4e00a5/50878376973.pdfIn PDF document text
    • http://www.associatedomains.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607ca5c4360a6---besumesozog.pdfIn PDF document text
    • https://noble-worldwide.com/wp-content/plugins/super-forms/uploads/php/files/351c658cf3308131cb7e0bd98b0fbdf8/warasexuw.pdfIn PDF document text
    • http://alnoorcity.com/userfiles/file/71369337696.pdfIn PDF document text
    • http://lilit-realty.com/wp-content/plugins/super-forms/uploads/php/files/mqlt196hpiirrrfqd80etpaqs6/8083223121.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/S30rS-6n6vg/uplcv?utm_term=elements+of+mercantile+law+nd+kapoor+pdf+downloadPDF link annotation
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000130f8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x130F8 5200 bytes
SHA-256: 2f285319a21bd1b3efeb030df54867109291ad8f0daf4598736c14ff5bccb221

Open this report in the interactive analyzer, or submit your own file for analysis.