Malicious PDF — malware analysis report

Static analysis result for SHA-256 215db1414a5f6163…

MALICIOUS

PDF

62.3 KB Created: 2021-09-16 08:24:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: 940567c757c06eb1f76f8f44803d3627 SHA-1: c69823ad3e0e6ba339daafcbf6d2b5c4b154e853 SHA-256: 215db1414a5f616312b2305e2952b955d7926135980e9bb3b40b934f22daf621
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating it is likely a phishing or trojan delivery mechanism. The heuristics indicate the PDF contains a link farm pointing to compromised WordPress uploads and disposable hosting, suggesting an attempt to obscure the final malicious destination. The embedded URLs, such as 'https://huntic.ru/uplcv?utm_term=spy+app+apk+mod', are likely used to redirect users to phishing sites or download further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7260

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://huntic.ru/uplcv?utm_term=spy+app+apk+mod PDF link annotation
    • http://thrifthelp.com/flash/thrifthelp.com/file/nevagerufalasebezijonidal.pdfIn PDF document text
    • http://babijie.com/upload_fck/file/2021-9-16/20210916061921260408.pdfIn PDF document text
    • https://skillmapmagazine.com/ckfinder/userfiles/files/xejokebemobinemem.pdfIn PDF document text
    • https://congnghiepxd204.vn/upload/files/71557299485.pdfIn PDF document text
    • http://conflictfreeelectronics.com/ourprojects/chowki/UserFiles/renuka/file/xorezereloxiwamo.pdfIn PDF document text
    • http://smithmurdock.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613b007157df5---40464096316.pdfIn PDF document text
    • https://www.burit.net/wp-content/plugins/formcraft/file-upload/server/content/files/161369bd82210c---wukugunogo.pdfIn PDF document text
    • http://ipublicity.cz/data/file/21137218987.pdfIn PDF document text
    • https://udachi.co.th/wp-content/plugins/super-forms/uploads/php/files/v59t1escanm2olq0ss9hoat01p/10181066825.pdfIn PDF document text
    • http://vtdsbinhthuan.vn/public/uploads/userfiles/file/97853077503.pdfIn PDF document text
    • https://jocafoto.com/fotos/file/86834367279.pdfIn PDF document text
    • http://jgbt.us/pds/userfiles/files/42118656625.pdfIn PDF document text
    • http://mojahotels.com/ckfinder/userfiles/files/numejakugotebatusobozilen.pdfIn PDF document text
    • https://www.groupe-coelho.fr/ckfinder/userfiles/files/13581854261.pdfIn PDF document text
    • http://constantemail.com/userfiles/file/1630845255kajubupu.pdfIn PDF document text
    • https://partroyfuneralhome.com/partroy/assets/file/75924103250.pdfIn PDF document text
    • http://centrlita.ru/archive/image/file/66221708712.pdfIn PDF document text
    • http://geologocarmignani.com/userfiles/files/87694821508.pdfIn PDF document text
    • https://smartcrm.cloud/upload/files/13203972550.pdfIn PDF document text
    • http://arndt-fahrschule.de/userfiles/file/megot.pdfIn PDF document text
    • https://apexsafetyproducts.com/ckfinder/userfiles/files/38874100944.pdfIn PDF document text
    • https://www.jaegeraviation.com/ckfinder/userfiles/files/niluvejalefuduv.pdfIn PDF document text
    • http://mgbig.com/upload_fck/file/2021-9-15/20210915140928246408.pdfIn PDF document text
    • https://eirai.org/editor/ckfinder/userfiles/files/tetaritilowawowemizanuraz.pdfIn PDF document text
    • http://sofia-es.tokyo/yamituki-n/uploads/files/goped.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d84c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD84C 10096 bytes
SHA-256: 51994dba0bb97929225db5004bf0dfd8ad48b9c97950e92e60b919406b7822bf