Malicious PDF — malware analysis report

Static analysis result for SHA-256 293c5d98e2dd38cd…

MALICIOUS

PDF

52.6 KB Created: 2021-09-01 06:00:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26
MD5: 2ae1e16544c2d243bc25bd3ad7250764 SHA-1: 5b04c3a92e63ef72e765dd2934ab793157ce11d3 SHA-256: 293c5d98e2dd38cdb3de0fe6b2af3fbe1157aa9d33f7822607f4af084b3a716b
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample contains embedded JavaScript, which is a common technique for exploiting PDF vulnerabilities or redirecting users to malicious sites. The numerous external URIs, including those hosted on compromised CMS uploads and disposable domains, strongly suggest a phishing or malware distribution campaign. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6164

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://garglob.ru/uplcv?utm_term=filmora+licensed+email+and+activation+code PDF link annotation
    • https://loan-financial.com/wp-content/plugins/super-forms/uploads/php/files/ea1d45fc7d4990235972b0fc1cba75a7/bekud.pdfIn PDF document text
    • http://bbmeti.it/userfiles/files/49390555655.pdfIn PDF document text
    • http://maimungkorn.com/UserFiles/file/11492692524.pdfIn PDF document text
    • https://expresstestingatl.com/wp-content/plugins/super-forms/uploads/php/files/02baf728c6c22201357ae20687fa8521/84709588796.pdfIn PDF document text
    • http://petrduchek.com/files/41488072398.pdfIn PDF document text
    • http://embeddedhr.com/ckfinder/userfiles/files/refepopa.pdfIn PDF document text
    • https://sdyh.gr/wp-content/plugins/super-forms/uploads/php/files/r66uaum06279gpqdq38bp6rm36/63150848645.pdfIn PDF document text
    • http://caminodesantiagoenmoto.com/assets/ckfinder/core/connector/php/uploads/files/xapebixezawogagan.pdfIn PDF document text
    • http://108shiva.com/userfiles/file/In PDF document text
    • https://sg-design.top/wp-content/plugins/super-forms/uploads/php/files/811a41f3d7b9209a1c36d2575765f076/1967237467.pdfIn PDF document text
    • https://certifiedmoversinc.com/wp-content/plugins/super-forms/uploads/php/files/b4763eedf0c1abbd7105ddfa7f1b7216/14517797140.pdfIn PDF document text
    • http://terapeutickemasaze.eu/wp-content/plugins/formcraft/file-upload/server/content/files/1608c1c35887c3---83416775468.pdfIn PDF document text
    • http://www.pattyn360.com/upload/forum/files/ximogumuf.pdfIn PDF document text
    • http://geoodwierty.pl/files/file/fosuda.pdfIn PDF document text
    • http://www.skup.it/wp-content/plugins/formcraft/file-upload/server/content/files/1609b75295a514---73101775476.pdfIn PDF document text
    • http://www.adarshvidhyasankul.org/userfilesfile/30570363627.pdfIn PDF document text
    • https://businessservicesuk.com/userfiles/file/24233174439.pdfIn PDF document text
    • https://aldea.work/wp-content/plugins/super-forms/uploads/php/files/6b17084c9052ddedfcc9807ea03ed49b/41953479394.pdfIn PDF document text
    • https://weblative.com/wp-content/plugins/super-forms/uploads/php/files/03bh9ntlg43c19k6e4nnnljb5d/pukol.pdfIn PDF document text
    • http://www.driftime.ee/wp-content/plugins/formcraft/file-upload/server/content/files/160b3d6f1f0d40---47241183280.pdfIn PDF document text
    • http://arserwood.com/js/fckeditor/editor/filemanager/connectors/php/connector.php/upfiles/file/210830115246369226hbjnwx.pdfIn PDF document text
    • https://www.hotel-palladium.gr/wp-content/plugins/super-forms/uploads/php/files/p40l84u3gghuqfu1hblo09d3gn/88138581210.pdfIn PDF document text
    • https://www.ferienhof-schneider.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607a9e1336b4f---29977593807.pdfIn PDF document text
    • https://cedarcreeksauce.com/wp-content/plugins/super-forms/uploads/php/files/d6bfa7c9d20876c322e9b9e76a5d95cb/vedozagekanopepugaxuzajer.pdfIn PDF document text
    • https://www.mysmilestudios.com/wp-content/plugins/super-forms/uploads/php/files/07649fc8c0b4f2939bd712ac7a60b0e2/fetajom.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.