Malicious PDF — malware analysis report

Static analysis result for SHA-256 2eb7661102805c7d…

MALICIOUS

PDF

61.0 KB Created: 2021-08-12 12:05:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-05
MD5: e7c75b7b8e3d9bb8d81ff11feabdcb4e SHA-1: a494a56fb3b35084c1d2e8d69975484ba8984a73 SHA-256: 2eb7661102805c7d576bd1e9902cee1650fa00176c63d03a40cc5060d3adfeaf
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains a link farm pointing to numerous URLs, many hosted on compromised CMS platforms or disposable domains. This behavior is indicative of a phishing or malware distribution scheme, aiming to lure users to malicious sites. The ClamAV detection and ML classifier further support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9569

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://clarksville.net/wysiwygfiles/file/zabukenuki.pdf In PDF document text
    • https://izharfoster.com/wp-content/plugins/formcraft/file-upload/server/content/files/16112f9afc7fef---16219843831.pdfIn PDF document text
    • http://tdsns.ru/userfiles/file/13617547636.pdfIn PDF document text
    • http://manufim.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/1608454427ff46---10456450571.pdfIn PDF document text
    • http://www.myhhsi.com/wp-content/plugins/super-forms/uploads/php/files/e1a69586ad485e2bac5da4aaba8ceb7b/fejabolewigin.pdfIn PDF document text
    • http://beepost.vn/upload/userfiles/files/gozulaziworanomeriwob.pdfIn PDF document text
    • https://www.lavishlook.se/wp-content/plugins/super-forms/uploads/php/files/c657e34799cd81c3d73138da56816a95/22495531281.pdfIn PDF document text
    • http://mariamozharova.ru/uploads/files/rubajomunox.pdfIn PDF document text
    • http://mmbc.cz/_data/user_files/file/lukekalenogizubujaniw.pdfIn PDF document text
    • https://alate.org/admin/fckeditor/editorfile/pevudef.pdfIn PDF document text
    • http://kaztelcom.kz/ckfinder/userfiles/files/tidiwujifufudegigu.pdfIn PDF document text
    • https://www.pharmaright.ca/wp-content/plugins/super-forms/uploads/php/files/8833oe7mjk2c2o3hd0toddr1si/bafad.pdfIn PDF document text
    • https://promaxsuspension.com/csmimage/file/garosipovozozojabomowari.pdfIn PDF document text
    • http://www.recetasyconsejos.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a1b11cee209---xarugonamejezikimina.pdfIn PDF document text
    • http://www.amanuttarakhand.org/ckfinder/userfiles/files/sobapagoku.pdfIn PDF document text
    • https://www.ndgai.com/wp-content/plugins/super-forms/uploads/php/files/3mqi96abma81qgf46sba56vago/rexafilewetivuf.pdfIn PDF document text
    • http://www.nationaalgolfcongres.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160a8d1e4578c4---29973369675.pdfIn PDF document text
    • https://www.hediyevideo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a80d17f0d1a---89519779187.pdfIn PDF document text
    • https://expresstestingatl.com/wp-content/plugins/super-forms/uploads/php/files/9f3ef7a9b311e6bcc9d024ae5b63e33c/36302729460.pdfIn PDF document text
    • http://vitalenzyme.com/uploads/fckupload/file/7180175668.pdfIn PDF document text
    • http://africansafaris-spain.com/FCKeditor/editor/filemanager/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=%2Ffile/wevuwom.pdfIn PDF document text
    • http://dblbtech.com/userfiles/file/sevuji.pdfIn PDF document text
    • http://k-yoga.org/file_upload/spaw_upload/file/20210503103845.pdfIn PDF document text
    • https://iescolumbus.org/wp-content/plugins/super-forms/uploads/php/files/b9da0b6af9312c4c377f3e28c4148c3e/80334719011.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/GLLx1DTH0VQ/uplcv?utm_term=controle+passe+simple+6emePDF link annotation

Open this report in the interactive analyzer, or submit your own file for analysis.