Malicious PDF — malware analysis report

Static analysis result for SHA-256 2157fc8cb14338f3…

MALICIOUS

PDF

111.5 KB Created: 2021-08-31 02:14:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: ea442f2c98810b377ebfd2956f607af1 SHA-1: f439192d8e57d750e983d70a93c1e96c15bc1b34 SHA-256: 2157fc8cb14338f36f8fb83219484a7071945b2fcf3a2308ef4ee0a2ccc483f0
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristics reveal it functions as a link farm, directing users to multiple compromised WordPress upload sites and disposable hosting domains. The embedded URLs, such as 'https://crewmak.ru/uplcv?utm_term=stitch+pain+in+left+side', likely serve as lures for phishing or to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6396

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crewmak.ru/uplcv?utm_term=stitch+pain+in+left+side PDF link annotation
    • https://karapinarinsaat.net/userfiles/upload/file/6323422241.pdfIn PDF document text
    • https://valleyrestoration.net/home/apf/public_html/ckfinder/userfiles/files/96018392648.pdfIn PDF document text
    • https://drmarlenebothma.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160822c9082353---pakezurixirufomaferipi.pdfIn PDF document text
    • http://shopsuathientu.com/uploads/userfiles/file/makodapaxales.pdfIn PDF document text
    • https://tenshinorchids.com/FCKeditor_upload/file/betusutisogijegewopizeti.pdfIn PDF document text
    • https://adian.eus/files/galeria/files/43647215797.pdfIn PDF document text
    • https://massagetheory.ca/wp-content/plugins/super-forms/uploads/php/files/6617b35a05e749d48d8461e5b3dcb68c/53658621986.pdfIn PDF document text
    • https://exlite.it/ckfinder/userfiles/files/96760352302.pdfIn PDF document text
    • https://sirikulsteel.com/wp-content/plugins/formcraft/file-upload/server/content/files/160cad1c234350---sofapegijozetixosemidotax.pdfIn PDF document text
    • https://mjrspot.com/fckimages/file/53464665686.pdfIn PDF document text
    • http://skuplaptop.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160a224bb087c7---74469479628.pdfIn PDF document text
    • https://useoneconvo.com/wp-content/plugins/super-forms/uploads/php/files/ec7ea18668b45cde42fdd8a4ab1dedd3/15907335849.pdfIn PDF document text
    • http://utuin.net/files/fckeditor/file/wizib.pdfIn PDF document text
    • http://kesifveotesi.com/files/81701995127.pdfIn PDF document text
    • http://krindustria.com.br/site/wp-content/plugins/formcraft/file-upload/server/content/files/16126b827b7aee---49732146616.pdfIn PDF document text
    • http://kythuatviet.vn/uploads/userfiles/file/lopazivubediwo.pdfIn PDF document text
    • http://vitajeans.com/ckfinder/userfiles/files/28606444201.pdfIn PDF document text
    • http://teplolux72.ru/upload/file/39357723800.pdfIn PDF document text
    • http://xn--9w3b270a7kf.kr/ckfinder/userfiles/files/zowofovetamafawowogixa.pdfIn PDF document text
    • https://cor.org.ar/wp-content/plugins/super-forms/uploads/php/files/v76mjiif8tp8cn60c68td67u0r/mawipapekoxubotatemovu.pdfIn PDF document text
    • https://criteriacambio.com.br/wp-content/plugins/super-forms/uploads/php/files/o02v541cjaeub7pef935rcggr7/zagomarodelerijogujonilid.pdfIn PDF document text
    • http://bilagroup.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607ffd7a6ca54---mosajofaf.pdfIn PDF document text
    • http://nemeckystrakac.sk/editor_uploads/files/94940654053.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00018e99.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18E99 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0001a6b0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A6B0 10572 bytes
SHA-256: 0c0c880ed87da32e33765a98d945edbc97ffd17c2776172db555f2b52e449c0a

Open this report in the interactive analyzer, or submit your own file for analysis.