Malicious PDF — malware analysis report

Static analysis result for SHA-256 1dc671f5eb6da2e1…

MALICIOUS

PDF

234.4 KB Created: 2021-06-25 21:54:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: 1e6174bb1ca077d4e2cefd00ace4e317 SHA-1: e6e710ed8ce53f1295d2df1480006c04a104c966 SHA-256: 1dc671f5eb6da2e1f9a11b3642e5804d7b693d5ab017299af134e051cc41a8c3
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is a PDF document identified as malicious by ClamAV and an ML classifier. It contains a link farm pointing to compromised WordPress upload storage, suggesting an attempt to distribute further malicious content. The PDF's structure and embedded links indicate a phishing or malware distribution lure, likely intended to trick users into downloading a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7862

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nhsclassof77.com/clients/c/ca/caa0b9827732345dad94809623212052/File/buvimedoruniwogasalizulup.pdf In PDF document text
    • https://www.adcgrain.com/wp-content/plugins/super-forms/uploads/php/files/b47b816544e244e0352e6726e90612d3/29216589952.pdfIn PDF document text
    • http://alnadaoil.com/userfiles/file/nalapemoboranolefaramanov.pdfIn PDF document text
    • http://bestapp4u.com/admin/uploadedfiles/file/ziboloxejoba.pdfIn PDF document text
    • http://purpledoorchurch.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607892903ac50---puvalagarivepapiputojuni.pdfIn PDF document text
    • http://sip7.online/wp-content/plugins/super-forms/uploads/php/files/2ace9a53fc24a5dd6fd3acd6c104e645/69546488103.pdfIn PDF document text
    • https://kayakbranson.com/wp-content/plugins/formcraft/file-upload/server/content/files/160729b13db889---48591802271.pdfIn PDF document text
    • https://nikken-engineer.jp/export/sd205/www/jp/r/e/gmoserver/8/6/sd0748886/nikken-engineer.jp/fckeditor/upload/file/92760156354.pdfIn PDF document text
    • http://www.tif.cn/wp-content/plugins/super-forms/uploads/php/files/jn37km6sdfaa2r5jo9o5e37953/mikuzozevi.pdfIn PDF document text
    • https://qualitycountscleaning.com/wp-content/plugins/super-forms/uploads/php/files/c1666190b59470bb21240820a347bcde/40574112767.pdfIn PDF document text
    • http://asalsold.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607efe235c1fe---fulupib.pdfIn PDF document text
    • https://www.fmworks.com.tr/wp-content/plugins/super-forms/uploads/php/files/jmbqovos79jnp6bva0uus7dg6j/6742445002.pdfIn PDF document text
    • https://monarchwinemerchants.com/wp-content/plugins/super-forms/uploads/php/files/71d990a6a1191ab701ed914d7238e41b/foseledosoteze.pdfIn PDF document text
    • https://promocionesnma.com/wp-content/plugins/super-forms/uploads/php/files/3787df34b1ed78293e0d82dc29d11c4b/57818623825.pdfIn PDF document text
    • http://halvani.com/wp-content/plugins/formcraft/file-upload/server/content/files/16075c3735dc97---setenisonomoz.pdfIn PDF document text
    • https://apoc.com.au/wp-content/plugins/super-forms/uploads/php/files/9da08c9c282a277cff55cd8b9f71b876/56569457928.pdfIn PDF document text
    • http://shqinze.net/admin/upimg/file///fagoxa.pdfIn PDF document text
    • http://www.orhancoskun.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ad59a815a62---92299382268.pdfIn PDF document text
    • http://crystalnymph.by/wp-content/plugins/super-forms/uploads/php/files/dfa4c8a7b9c9bc5007ad320d8e901400/gosama.pdfIn PDF document text
    • http://www.x454.com/wp-content/plugins/super-forms/uploads/php/files/djsb4juacfi47e1utl4red5ud3/55807450894.pdfIn PDF document text
    • http://www.shipsupply.co.mz/wp-content/plugins/formcraft/file-upload/server/content/files/160abff07e15b6---27208720177.pdfIn PDF document text
    • https://dermo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607cfd10b3408---najubevarazuzuzizire.pdfIn PDF document text
    • https://myphi.biz/nbloom/fckuploads/file/deteruvaragixiko.pdfIn PDF document text
    • https://qboardapp.com/wp-content/plugins/super-forms/uploads/php/files/18d9080bd0863990838c174ff58a6231/86873757649.pdfIn PDF document text
    • https://www.caesarstravel.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c110490f627---nijobasewigudegomoruxut.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/3vuEKuznOb8/uplcv?utm_term=chapter+3+government+test+answersPDF link annotation

Open this report in the interactive analyzer, or submit your own file for analysis.