Malicious PDF — malware analysis report

Static analysis result for SHA-256 27d9d274d2f6332e…

MALICIOUS

PDF

70.3 KB Created: 2021-09-07 14:04:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: 4706754e50da322ffa845c548e482d45 SHA-1: a059ca56aea9aaa446b0c524e73a5bb37491e188 SHA-256: 27d9d274d2f6332e7e77839c870fab664e687fb6e0beaa97194c487bc01971c3
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous external links, many of which point to compromised WordPress sites. The ClamAV detection and heuristic firings indicate this is a phishing or malware distribution attempt. The document body is unreadable, but the structure and linked URLs strongly suggest a malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4270

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://master.plus/wp-content/plugins/super-forms/uploads/php/files/e8fbd2439b115e407e414a8343f6c0d7/8395102803.pdf In PDF document text
    • https://leo-translate.com.ua/wp-content/plugins/formcraft/file-upload/server/content/files/16077dc15d5fae---vekejeto.pdfIn PDF document text
    • http://1-sanya.com/blog_images/blog_/file/82194553270.pdfIn PDF document text
    • http://pck.malopolska.pl/wp-content/plugins/super-forms/uploads/php/files/ea0f1b1659473ee885b09084b8d5448a/feworixoti.pdfIn PDF document text
    • https://forex-robo.org/wp-content/plugins/super-forms/uploads/php/files/7f7f92972b2431b5322d1be13f3b0572/77929734399.pdfIn PDF document text
    • https://charterfori.ir/basefile/charterforiir/files/galavasemubenitagidali.pdfIn PDF document text
    • http://www.kickcommerce.com/userfiles/file/sugekugegutasoxa.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c25ff68b63d---20451641439.pdfIn PDF document text
    • http://backkwang.com/userData/board/file/deluvowodizufesewuwev.pdfIn PDF document text
    • http://michelesherrinlaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/62631575154.pdfIn PDF document text
    • http://novussiteyonetimi.com/uploads/file/84016031875.pdfIn PDF document text
    • http://cfh2.com/clients/d/d2/d2a7b52150a7a947468b52e9b7560e3c/File/piwojuwufebo.pdfIn PDF document text
    • http://mirai-kankyo.com/userfiles/files/24761118023.pdfIn PDF document text
    • https://414movement.com/wp-content/plugins/super-forms/uploads/php/files/78df8b245445e58025f150f220bf6923/rugizon.pdfIn PDF document text
    • https://yellowmangocafe.com/userfiles/file/6541187546.pdfIn PDF document text
    • https://alianzatours.com/imagenes/file/24637436074.pdfIn PDF document text
    • http://www.rec39.ru/wp-content/plugins/super-forms/uploads/php/files/bae6d0f812c8c50b8a8e81e5a2a4ed46/goneromaboximuredu.pdfIn PDF document text
    • https://selectwifi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609a5df7717e5---rezupotazoxesike.pdfIn PDF document text
    • https://www.sacproblemleri.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bc737bb3a67---perolu.pdfIn PDF document text
    • http://littlefreddieking.com/clients/65037/File/tivakomuseg.pdfIn PDF document text
    • http://www.canadavisaservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/16081bcb949147---50579686360.pdfIn PDF document text
    • http://hainescentreasia.com/images/file/gelubezeruxanogoluge.pdfIn PDF document text
    • https://gamaconsultores.cl/upload/file/xurodik.pdfIn PDF document text
    • http://miamiwars.pl/wp-content/plugins/super-forms/uploads/php/files/ad44b850dbd58e861bc1ff7eb910c8be/87206853822.pdfIn PDF document text
    • https://cihangirhotel.com/upload/ckfinder/files/70256514429.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/3CAf4wW3hvY/uplcv?utm_term=pdf+creator+compression+imagesPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e33d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE33D 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000fb54.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFB54 10916 bytes
SHA-256: 98648fe08ed91d66b796232ca0a5323550066824a8d836b676fe2c6a808c4c07