Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f42c42589e6d030…

MALICIOUS

PDF

72.1 KB Created: 2021-09-13 19:47:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14
MD5: c61b056d403105516f05d914fb23bb01 SHA-1: a0fb8c7304f9931d0d8aab42faa211fed43712a2 SHA-256: 2f42c42589e6d0301ec6dd550be8a6d0d7f21e9addabb3c09aa739b82146d35b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links pointing to compromised WordPress upload storage and other disposable hosting, indicating a link farm designed to redirect users. ClamAV and ML classifiers flagged this PDF as malicious, specifically identifying it as a phishing trojan. The presence of these links suggests an attempt to lead users to malicious sites for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7062

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://puginternational.com/ckfinder/userfiles/files/tabilasakon.pdf In PDF document text
    • https://illustrations.noche.fr/images/files/vifegijanabapoxidafiwi.pdfIn PDF document text
    • https://partnermind.cz/images/files/feduwawarukuveril.pdfIn PDF document text
    • http://bhhangkhong.com/upload/images/files/pajorojixovinunatetitiso.pdfIn PDF document text
    • https://www.davidwoodpersonnel.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613c2eda477b2---lonoseboxa.pdfIn PDF document text
    • http://bishnutoursandtravels.in/userfiles/file/kumixalidu.pdfIn PDF document text
    • http://transchem-tech.com/Uploadfiles/files/foredotas.pdfIn PDF document text
    • http://elandtour.com/FileData/ckfinder/files/20210907_E3D92084276AC481.pdfIn PDF document text
    • http://go-trec.com/wp-content/plugins/super-forms/uploads/php/files/hpps63sar0boimutid6gd4tsfm/gefizitop.pdfIn PDF document text
    • http://feach.ie/images/uploads/file/jutepefalovezetisujo.pdfIn PDF document text
    • http://firewaterdamagedfw.com/test/fckeditor/uploadfiles/file/gojabiwidumimuwoteziwunaj.pdfIn PDF document text
    • http://wxmx.cn/upload/ckimg/files/202109072315173802.pdfIn PDF document text
    • http://jadever.vn/Images_upload/files/26169836816.pdfIn PDF document text
    • https://brillimet.com/uploads/files/202109031937372856.pdfIn PDF document text
    • http://macabrey-luthier.fr/data/Files/webetikepogit.pdfIn PDF document text
    • https://prosaison.fr/userfiles/files/lazefuz.pdfIn PDF document text
    • https://akdenizokullari.k12.tr/wp-content/plugins/super-forms/uploads/php/files/a0k3oqohp3omjpoeua5a9bcghg/8194403652.pdfIn PDF document text
    • http://cc-loges.com/uploads/file/14744072330.pdfIn PDF document text
    • http://www.fotografoeventimilano.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613f25d363e87---83132523969.pdfIn PDF document text
    • http://momsystem.ru/public/file/82103969171.pdfIn PDF document text
    • http://hidrometa.com/images_upload/files/25181435007.pdfIn PDF document text
    • https://bfull.ru/uploads/files/43805187415.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/GLLx1DTH0VQ/uplcv?utm_term=green+pacman+ghostPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ccec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCCEC 17868 bytes
SHA-256: 5e463f97838f785d851ee2915cff2af2e1d1676da0c6f3831006ce5e01c5a3e7
font_01_sfnt_off0000fb66.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFB66 10720 bytes
SHA-256: 0a44713cc2c94370dba110d4765319da834ae7fa1bae49aab88ba051b9eb2d68

Open this report in the interactive analyzer, or submit your own file for analysis.