Malicious PDF — malware analysis report

Static analysis result for SHA-256 219559ee0d2e20cf…

MALICIOUS

PDF

63.8 KB Created: 2021-06-26 10:10:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: 71191e2d40a97209f34c38eb32d9c031 SHA-1: 60b8bc0dabde77bbf15f655d0151ddca605e68c1 SHA-256: 219559ee0d2e20cfe207211472ff31f2aeb7f4735c0dde8e1fd19a610b146259
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains a link farm directing users to multiple websites, many of which are hosted on compromised CMS upload directories or disposable domains. This behavior, combined with ClamAV detection as 'Pdf.Phishing.Trojan', strongly suggests a phishing or malware distribution attempt. The ML classifier also flagged the PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6736

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://harryfok.com/ckfinder/userfiles/files/7701155894.pdf In PDF document text
    • https://mimpiindah2.com/contents//files/2324462387.pdfIn PDF document text
    • https://www.heracles-hotel.eu/wp-content/plugins/super-forms/uploads/php/files/oacrh471d4s5o3qi6r5hsh0s4l/xakiberupim.pdfIn PDF document text
    • http://www.sunarmisir.com.tr/wp-content/plugins/super-forms/uploads/php/files/2cm1jf8cnp1coteikj9p0vn1v3/70110634385.pdfIn PDF document text
    • https://sakitonus.ru/wp-content/plugins/super-forms/uploads/php/files/48a413a5c6adfb2f0fddcb04511285e7/dejaserikaxifuja.pdfIn PDF document text
    • http://kasystemofkarate.com/clients/861259/File/45022547455.pdfIn PDF document text
    • http://historia-bfured.hu/userfiles/file/bemivosafomuxujojajanujid.pdfIn PDF document text
    • https://pabausa.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607294a9b686b---panuw.pdfIn PDF document text
    • http://www.everhouse.lt/wp-content/plugins/formcraft/file-upload/server/content/files/1609792d47c6c3---doragoba.pdfIn PDF document text
    • https://associazionedynamica.it/uploads/file/61325209482.pdfIn PDF document text
    • https://wacee.net/wp-content/plugins/formcraft/file-upload/server/content/files/160a745ce8a370---12129104907.pdfIn PDF document text
    • http://rzn-house.ru/upload/file/verinulasuzikujif.pdfIn PDF document text
    • https://sealskinz.ru/files/file/wasube.pdfIn PDF document text
    • https://vate-tire.ru/wp-content/plugins/super-forms/uploads/php/files/dbd2b1ce481666c4caba00edc71c561a/witawapu.pdfIn PDF document text
    • http://www.siposferenc.hu/html/weretolijezagovozogegopi.pdfIn PDF document text
    • http://payassistinc.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607fb5b603356---94040294263.pdfIn PDF document text
    • http://ytovietnam.net/ckfinder/userfiles/files/gasimimubidikomozitu.pdfIn PDF document text
    • http://beiwendq.com/userfiles/file/19998667511.pdfIn PDF document text
    • http://gursakaryahukuk.com/images/file/belozakuwowedamoso.pdfIn PDF document text
    • http://www.jcca.co.in/wp-content/plugins/formcraft/file-upload/server/content/files/160c3faece506d---83556731741.pdfIn PDF document text
    • https://familienbilstrup.dk/ckfinder/userfiles/files/51128489721.pdfIn PDF document text
    • http://www.psstrecno.sk/wp-content/plugins/formcraft/file-upload/server/content/files/160d08550b9db4---kisek.pdfIn PDF document text
    • https://encouragingmath.com/wp-content/plugins/super-forms/uploads/php/files/19bcbcffe8902ef2c7f131c77ae518a5/13933526214.pdfIn PDF document text
    • http://www.onegelha.com/wp-content/plugins/super-forms/uploads/php/files/27e97ae2b49b876c7cddb68b1e9e5e14/54704173989.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/fzgW7-mxBc0/uplcv?utm_term=can+you+build+immunity+to+poison+ivyPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e92c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE92C 10772 bytes
SHA-256: 59d92ac943456135d1c8808f279f623be175000e12fac8391c0cf621200d6bb2

Open this report in the interactive analyzer, or submit your own file for analysis.