Malicious PDF — malware analysis report

Static analysis result for SHA-256 25e3d1649fbb453b…

MALICIOUS

PDF

134.9 KB Created: 2021-08-31 23:04:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: f75c77216fb4d50e910b521120138263 SHA-1: 3ba284ad3c4d9c72bdee04862ff7d3c2d9736fc4 SHA-256: 25e3d1649fbb453b875b603fa777d6475eadfd5a881cb7ff7db4b736891e3c71
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links pointing to compromised WordPress sites and other domains, which are likely hosting malicious content. Heuristics indicate a link farm designed to distribute further malicious PDFs. ClamAV detection as 'Pdf.Phishing.Trojan' strongly suggests a phishing or trojan distribution intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8146

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://argra.rs/wp-content/plugins/formcraft/file-upload/server/content/files/1608b36b1bfdeb---xibusoletotifuxulozi.pdf In PDF document text
    • https://ap-qatar.com/userfiles/files/lodizejetebogozar.pdfIn PDF document text
    • https://agilitynd.com/wp-content/plugins/super-forms/uploads/php/files/6f2a322da7e3d29635e926e16cb56b3b/66218553644.pdfIn PDF document text
    • https://amd-export.com/site/upload/file/radifewirut.pdfIn PDF document text
    • https://tonwen.org/userfiles/file/99439288932.pdfIn PDF document text
    • http://fritz-fahrlaender.ch/download/96656366803.pdfIn PDF document text
    • https://www.drserapkagan.com/wp-content/plugins/super-forms/uploads/php/files/4ns0gnaa4q272edva8v9rflo34/dilotigoxowute.pdfIn PDF document text
    • http://sreema.org/FCKeditor/file/pudaziwowodupipovelelagi.pdfIn PDF document text
    • http://amoy-art.com/Upload/file/kavanefa.pdfIn PDF document text
    • http://brandnewgoods.net/userfiles/file/89775327841.pdfIn PDF document text
    • https://www.northamericatalk.com/wp-content/plugins/formcraft/file-upload/server/content/files/16071c8d8f0b6d---83938728585.pdfIn PDF document text
    • https://agencement-menuiserie-var.fr/stockages/files/19109617732.pdfIn PDF document text
    • https://ariconium.cz/webpagebuilder/ckfinder/userfiles/files/38343976238.pdfIn PDF document text
    • https://kassa-evotor.ru/wp-content/plugins/super-forms/uploads/php/files/7ofdtfse686juemuavm7ltjrdb/xojelelawuledikerazob.pdfIn PDF document text
    • http://simonide.org/userfiles/file/4978907324.pdfIn PDF document text
    • https://spheresignal.com/app/webroot/userfiles/files/6868317488.pdfIn PDF document text
    • http://alicekhenrylawoffice.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/37762504847.pdfIn PDF document text
    • http://klhl.com/userfiles/file/22051599718.pdfIn PDF document text
    • https://www.kiteschule-kiel.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607cfd583d529---zoxuvuzika.pdfIn PDF document text
    • http://baovevietnam-vnss.com/upload/file/givuratov.pdfIn PDF document text
    • https://voyageaventurenepal.com/upload/files/74523972541.pdfIn PDF document text
    • http://be1971.com/clients/a/a1/a19be2fc4cf8b198b52f296748481ce5/File/86382034310.pdfIn PDF document text
    • http://www.sevenchurchestour.net/seven/wp-content/plugins/formcraft/file-upload/server/content/files/1609e9bb46ba7d---fafemeboxazolafixijamebaf.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/GLLx1DTH0VQ/uplcv?utm_term=divine+revelation+of+the+spirit+realm+pdf+free+downloadPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001c5ee.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1C5EE 20468 bytes
SHA-256: 6d4d3bb21e9693f562a955f12a917b241af723fbff269c3bec46ff9986a3bc2d
font_01_sfnt_off0001fa22.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1FA22 10916 bytes
SHA-256: 3c8f22c93ac921f27ba887842f4bdfb9df2b18d5a196b8b0b4e319a978adf439

Open this report in the interactive analyzer, or submit your own file for analysis.