Malicious PDF — malware analysis report

Static analysis result for SHA-256 2cf47d1ec729f738…

MALICIOUS

PDF

59.5 KB Created: 2021-09-06 11:34:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-05
MD5: 6212f326b2bd5255f7a842d468a1c29f SHA-1: 77e5ef82ff06996a12800ca72501c3aa5df69792 SHA-256: 2cf47d1ec729f7383f476a1d677fa3d99c7d76a6cb4cb286ea45059ee581bac8
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and an ML classifier. It functions as a link farm, containing numerous URLs pointing to compromised WordPress sites and disposable hosting. These links likely serve as a distribution mechanism for phishing or malware, aligning with the characteristics of a spearphishing attachment attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5382

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pistant.ru/uplcv?utm_term=installation+chauffage+central+tube+multicouche+pdf PDF link annotation
    • http://files.ibiza-ferien.de/file/3734694002.pdfIn PDF document text
    • https://youstore21.com/wp-content/plugins/super-forms/uploads/php/files/f8af2e45aee1d31298b193da7a3f8bcb/bipezu.pdfIn PDF document text
    • https://ceadersvalet.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f0ed1a952c---gibidebogijinebudel.pdfIn PDF document text
    • https://diaochue.vn/userfiles/file/4668435342.pdfIn PDF document text
    • https://z87992961.com/upload/files/20210709103802.pdfIn PDF document text
    • http://bydnjl.com/userfiles/files/63917193408.pdfIn PDF document text
    • http://kondicionery-vidnoe.ru/upload_picture/file/sojelirewosa.pdfIn PDF document text
    • http://phutungquanghieu.com/app/webroot/files/ckfinder/files/xexitixalifemam.pdfIn PDF document text
    • https://teplitsyoptom.ru/wp-content/plugins/super-forms/uploads/php/files/914c3d1d108c967bac203497cc2c4b5b/lijazefaguwigexavusosunot.pdfIn PDF document text
    • https://hylyt.co/wp-content/plugins/super-forms/uploads/php/files/aa807c6ec2c78044bcfd3db880ee4e50/16015985973.pdfIn PDF document text
    • https://jetzterstrecht.hamburg/wp-content/plugins/super-forms/uploads/php/files/27jjrp5d75pfpbnnlr9svu18a9/7032522043.pdfIn PDF document text
    • http://structurecreative.com/wp-content/plugins/formcraft/file-upload/server/content/files/161001ea8a58f4---74106610588.pdfIn PDF document text
    • https://tfnd.org/wp-content/plugins/super-forms/uploads/php/files/9d0a47c508933387cd83f25690110acd/toxazejakagod.pdfIn PDF document text
    • http://anhuicrew.com/upload_fck/file/2021-6-12/20210612010335854375.pdfIn PDF document text
    • https://agrotehholding.ru/wp-content/plugins/super-forms/uploads/php/files/33357c0b197ef202ca9482cebd6cbd61/61301614836.pdfIn PDF document text
    • https://grandplaza.bg/uploads/assets/file/52470480233.pdfIn PDF document text
    • http://aawyx.com/sites/default/imageuser/file/18978055799.pdfIn PDF document text
    • https://oknoplus-omsk.ru/wp-content/plugins/super-forms/uploads/php/files/184eb1ae0b2cb6718e30e35248828e91/61243057283.pdfIn PDF document text
    • http://xboxheerlen.nl/userfiles/file/pejis.pdfIn PDF document text
    • https://careersourcechipola.com/files/public/86957868871.pdfIn PDF document text
    • https://visaonline-vn.com/wp-content/plugins/super-forms/uploads/php/files/m066t6kgcagfbhbgcv8jr31958/betozesawojuvogisoxem.pdfIn PDF document text
    • https://ringid.vn/ckfinder/userfiles/files/bogopesofokegi.pdfIn PDF document text
    • http://hhs63.org/clients/8/88/88ec95b665b56da82b1de85f097fba10/File/95226226999.pdfIn PDF document text
    • https://greenlakepaint.com/ckfinder/userfiles/files/xutabotudotolubifam.pdfIn PDF document text
    • http://urjabatteries.in/userfiles/file/22079666018.pdfIn PDF document text
    • http://greatwalledmond.com/ckfinder/userfiles/files/vepidozukerutigaximopob.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bf14.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBF14 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1