Malicious PDF — malware analysis report

Static analysis result for SHA-256 2bc1d0aec764f47b…

MALICIOUS

PDF

62.8 KB Created: 2021-06-28 00:31:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: a422a04e0d5e74203bc8da064f56d6fa SHA-1: 2a41002b554dd8079187ef4c1ee154411663b263 SHA-256: 2bc1d0aec764f47b76668b0d04010b0063cfd59ce6a27d096d349ad2abff5a44
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV and ML classifiers, indicating a phishing or malware distribution attempt. It contains numerous links pointing to compromised WordPress sites and disposable hosting, suggesting a link farm designed to redirect users to malicious content. The presence of embedded URLs and the nature of the heuristics strongly suggest this PDF is part of a phishing campaign, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5217

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://smidgel.ru/uplcv?utm_term=can+dogs+eat+raw+cashews PDF link annotation
    • http://pulsrmedia.com/wp-content/plugins/formcraft/file-upload/server/content/files/160933bdf76b77---44135785326.pdfIn PDF document text
    • https://orrizon.ru/images/file/58993567121.pdfIn PDF document text
    • https://www.frankreich-ferien.ch/wp-content/plugins/formcraft/file-upload/server/content/files/160a4ee16cf796---29350286252.pdfIn PDF document text
    • https://alfa-pechati.ru/wp-content/plugins/super-forms/uploads/php/files/1942419379cd1e0f381389e854f7b2e0/97898068399.pdfIn PDF document text
    • http://www.sparkprototypes.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607ccfe11ffed---didejilivexilawonoveli.pdfIn PDF document text
    • http://www.myhhsi.com/wp-content/plugins/super-forms/uploads/php/files/b3cf9fa453bc5c7f0b6b299549da58e1/89932681908.pdfIn PDF document text
    • http://parcroyale.hk/userfiles/82744620414.pdfIn PDF document text
    • https://angkoronetour.com/userfiles/file/57032623981.pdfIn PDF document text
    • https://avgdesign.com/userfiles/file/midefi.pdfIn PDF document text
    • https://apparel.allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/5995e80f2c1f6e18217aef9736297b7f/vigexodupag.pdfIn PDF document text
    • https://www.reparaciondebomba.com.ar/wp-content/plugins/super-forms/uploads/php/files/gn1mur503h7nq46heuffh61bu5/nazuvufanoziwoxigokegib.pdfIn PDF document text
    • https://estidevelopers.com/wp-content/plugins/super-forms/uploads/php/files/66fdae201262c52cf861a3ce3f481e08/jetarorunaganirugulukuja.pdfIn PDF document text
    • https://amblamy.ee/upload/file/68637443482.pdfIn PDF document text
    • https://xn--1--8kcai1ck2bs.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/a1d165b5e5a8e362c39b5d6bbc67e9be/gimepafurariluvagiwudavek.pdfIn PDF document text
    • http://www.hj-bouwt.be/wp-content/plugins/formcraft/file-upload/server/content/files/160a898abc5e6c---runibowogabivuroweguve.pdfIn PDF document text
    • https://nhathuydesign.com/wp-content/plugins/super-forms/uploads/php/files/mq024q6j4id4sadhcj5t3m296l/dovik.pdfIn PDF document text
    • https://wecareu.net/ckfinder/userfiles/files/79747255081.pdfIn PDF document text
    • https://wickedcheesy.com/images/file/31088051247.pdfIn PDF document text
    • http://bubblesoflove.net/wp-content/plugins/formcraft/file-upload/server/content/files/160c08118079f1---mupozalabesilame.pdfIn PDF document text
    • https://fablab808.com/nbloom/fckuploads/file/72536340067.pdfIn PDF document text
    • http://uat.ideadunes.com/projects/ideadunes-portfolio-site/wp-content/plugins/formcraft/file-upload/server/content/files/1607bb6715171c---kotuwesaxeduteveju.pdfIn PDF document text
    • https://www.vigo.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160a58b4ac464c---miripelis.pdfIn PDF document text
    • http://sdds.be/userfiles/file/59944002154.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.