Malicious PDF — malware analysis report

Static analysis result for SHA-256 23e14f00a9cf2204…

MALICIOUS

PDF

48.3 KB Created: 2021-09-04 07:11:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: 60408477abea593674af60f69c70ab8e SHA-1: 2fcd1505e77d48494c1822b8ffca51149fb9f524 SHA-256: 23e14f00a9cf22042b07ecea3c0f5543fb34331280657788c022779bde5f5ac0
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript, a common technique for exploiting vulnerabilities or redirecting users. It also features numerous links to compromised websites, including a link farm on disposable hosting and links pointing to compromised WordPress upload storage. These elements strongly suggest a phishing or malware distribution campaign, with the embedded JavaScript likely initiating the malicious action.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8831

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://arredamentoambienti.it/img/file/naribubo.pdf In PDF document text
    • http://booklandbooks.com/userfiles/file/14447854733.pdfIn PDF document text
    • https://afanasyev-design.ru/wp-content/plugins/super-forms/uploads/php/files/bcd78c4fd852579c51a22e57e6db76db/libenijobalemofid.pdfIn PDF document text
    • https://www.idahomedia.com/wp-content/plugins/super-forms/uploads/php/files/8a1b7878923837439eca24e9fed30885/sagosatejenu.pdfIn PDF document text
    • https://northcoteplaza.com/userfiles/file/rekekalalenupez.pdfIn PDF document text
    • https://kaplaitalia.it/userfiles/files/84202448786.pdfIn PDF document text
    • https://www.apartamentselsllacs.com/wp-content/plugins/super-forms/uploads/php/files/p9odbcpl8guhfka33lqs4n9ape/kaxukitide.pdfIn PDF document text
    • http://billsky.ee/files/file/31303497216.pdfIn PDF document text
    • http://kielcenoca.pl/files/file/95193653107.pdfIn PDF document text
    • https://zivotzaokny.eu/res/file/jixopewudugezipevowo.pdfIn PDF document text
    • https://contact-house.com/fckeditor/upload/file/36919244517.pdfIn PDF document text
    • http://drvision.org/wp-content/plugins/formcraft/file-upload/server/content/files/160803b396456a---mutuvumubovepelabuvolip.pdfIn PDF document text
    • http://nofatrans-int.com/userfiles/file/18116846846.pdfIn PDF document text
    • https://www.rekalibracija.com/wp-content/plugins/super-forms/uploads/php/files/da99054abfc3c9fa40c489172e073d39/92565612611.pdfIn PDF document text
    • https://www.totalblissbeauty.com.au/application/third_party/ckfinder/userfiles/files/dosixiw.pdfIn PDF document text
    • http://smartmedicaleg.com/wp-content/plugins/formcraft/file-upload/server/content/files/16119114867fee---58736815013.pdfIn PDF document text
    • https://ailani.org/wp-content/plugins/super-forms/uploads/php/files/77de00e901b6db1ac182f881b874defe/wezomipamumitijibi.pdfIn PDF document text
    • https://actorconseil.com/files/file/88559384757.pdfIn PDF document text
    • http://www.movingintofreedom.com/wp-content/plugins/formcraft/file-upload/server/content/files/16075e14b2f841---radifalozo.pdfIn PDF document text
    • https://space1500.com/wp-content/plugins/super-forms/uploads/php/files/29e50632fcf7835cee46b4a13a8eb0d0/62509818971.pdfIn PDF document text
    • http://www.vljainandco.com/userfiles/files/tigodufujite.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/1KS0DP0cxss/uplcv?utm_term=leica+confocal+microscope+user+manualPDF link annotation