Malicious PDF — malware analysis report

Static analysis result for SHA-256 24733d90f7469253…

MALICIOUS

PDF

71.0 KB Created: 2021-09-22 18:09:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 93c5bcad7cd47ba7ba5705d026d0deda SHA-1: 125555e222bceeb3dabb3caea48f536f3f5583e4 SHA-256: 24733d90f746925304a6bee6ce79cb2ec903083584223b324f4883bee428fb41
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is a PDF containing embedded JavaScript and a significant number of external URIs, many of which point to compromised CMS uploads or disposable hosting. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' and 'PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM' strongly suggest a link farm designed to obscure the true destination, likely for phishing or malware delivery. The embedded JavaScript, while not directly analyzed for specific actions, is a common component in PDF exploits.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6691

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://laborke.ru/uplcv?utm_term=melbet+apk+latest+version
    • http://richmediahouse.com/admin/uploads/file/supar.pdf
    • http://telekommarketing.com/firme_data/files/dakevafodiviri.pdf
    • https://www.meditech.cz/ckfinder/userfiles/files/ruladit.pdf
    • https://foodexgida.com/uploads/files/libala.pdf
    • http://slenderclub.cz/ckfinder/userfiles/files/ritejimuzepepukojovipij.pdf
    • https://casalindasbakery.com/ckfinder/userfiles/files/44357960892.pdf
    • http://parvazyab.net/basefile/api203/files/42273898012.pdf
    • https://doluhosting.com/calisma2/files/uploads/najawexaluve.pdf
    • http://kino-cosmik.ru/sadm_files/69821931235.pdf
    • http://wsm.hk/images/files/roxurikukuladusilovar.pdf
    • http://rotarylaspalmas.org/documentos/file/kalovizugurabofev.pdf
    • http://www.icodar.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613bc3e823419---xuned.pdf
    • http://ibtaker.ps/userfiles/file/xebodajavilumalatoti.pdf
    • http://www.palmettoexpresslanes.com/system/js/back/ckfinder/userfiles/files/31884474903.pdf
    • http://a-b-i-s.net/layout/bilder/file/35061225337.pdf
    • http://www.1atlanticfunding.com/wp-content/plugins/formcraft/file-upload/server/content/files/16145bf9098063---36343175145.pdf
    • https://chsins.tw/uploads/files/202109181547352493.pdf
    • http://fosterfreezesantarosa.com/uploads/files/40702671692.pdf
    • http://alfonsoguiggiarchitetto.it/userfiles/files/63355467637.pdf
    • http://izhar-energy.com/userfiles/file/bopalebuvadoxezomujozevab.pdf
    • https://drnanemilk.com/tctt/sites/aaa/file/74310881260.pdf
    • http://sitoad.com/bbqjoekey/files/202109211418283767.pdf
    • http://dmn.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16144bdc9044f7---68104132674.pdf
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e463.bin
4ef130e5e752e68518aba2a8d3a7b8ab117f550bdc7ad98ddd6b5e836720ee01		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE463 19432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.