Malicious PDF — malware analysis report

Static analysis result for SHA-256 1de91aeffca08426…

MALICIOUS

PDF

54.0 KB Created: 2021-09-22 23:48:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: 44291b6976be02e259dd79b4c65d342f SHA-1: 64855e9f434e088e25538613d1b7a08b376ecb4f SHA-256: 1de91aeffca0842665d6d8664e5bd348115598cd851a797ed911a2e4199aa51c
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and a large number of external URIs, many of which point to compromised CMS uploads or disposable hosting, indicating a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly support its malicious nature. The embedded JavaScript likely facilitates the redirection to these malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8263

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://synerhu.ru/uplcv?utm_term=hotstar+disney+mod+apk PDF link annotation
    • https://rpaxis.net/userfiles/file/20278487873.pdfIn PDF document text
    • http://dastone.ru/userfiles/file/fafiwetonon.pdfIn PDF document text
    • http://pxmonastery.org/CKEdit/upload/files/tuwezikuduruzefugojim.pdfIn PDF document text
    • http://famcareconnect.org/wp-content/plugins/formcraft/file-upload/server/content/files/1613502b6cf525---doduv.pdfIn PDF document text
    • http://stroynerud-sm.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1613a99fa797de---31043418856.pdfIn PDF document text
    • https://messianic.live/wp-content/plugins/super-forms/uploads/php/files/10b4ad73403bdf3fecff45ab75465068/sepuwufepimosujuwogipe.pdfIn PDF document text
    • http://technology-mp.it/userfiles/files/29305214387.pdfIn PDF document text
    • http://discarga.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613bdada10cb9---dipidi.pdfIn PDF document text
    • http://amandatour.ru/js/ckfinder/userfiles/files/88041283649.pdfIn PDF document text
    • http://www.uc-kushiro.net/images/library/File/datiganigobijozajoxakegu.pdfIn PDF document text
    • http://basketaci.cz/UserFiles/File/6929782396.pdfIn PDF document text
    • https://member-amz-seller-system.de/wp-content/plugins/super-forms/uploads/php/files/0e95f38e61a4f7e50ef357327e2137ab/19212106707.pdfIn PDF document text
    • https://olivierdaulte.com/ckfinder/userfiles/files/98758900942.pdfIn PDF document text
    • https://www.pietri-automobiles.com/wp-content/plugins/super-forms/uploads/php/files/9bjvgld70dq93ms8ecvnsn9an9/xonokog.pdfIn PDF document text
    • http://covina.crazyrockinsushi.com/uploads/files/peziborovuxe.pdfIn PDF document text
    • http://everest-c.ru/ckfinder/userfiles/files/27849943170.pdfIn PDF document text
    • https://ecableapp.com/FCKeditor/FCKimgUpload/file/42247093936.pdfIn PDF document text
    • http://itagqatar.com/itag/file/files/81553749391.pdfIn PDF document text
    • https://ngusacdon.com/upload/files/xujupodanonigevuz.pdfIn PDF document text
    • http://vipforiraq.com/userfiles/files/kupokux.pdfIn PDF document text
    • http://sh8ke.com/wp-content/plugins/formcraft/file-upload/server/content/files/16141384d2e5e3---suzewizuxekasit.pdfIn PDF document text
    • http://fteq.ru/files/file/xadinefakobanux.pdfIn PDF document text
    • https://subarini.ro/mm/file/57770531507.pdfIn PDF document text
    • http://remontnoedelo.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1613d85a150a1b---62820797868.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.