Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f8c45f76b57f0f1…

MALICIOUS

PDF

111.7 KB Created: 2021-05-17 14:19:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a82f031a4d49f577875dba9f7a3ec893 SHA-1: 054ca61f44d61ada15255ddcd6a31c33e6c32880 SHA-256: 2f8c45f76b57f0f1e16aa5527e8bd6313437e201f998e1db4b0e3373307ea879
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous links to external websites, many of which are hosted on compromised WordPress sites, suggesting a link farm designed to redirect users to malicious content. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports a malicious intent. Although no scripts were explicitly extracted, the presence of embedded URLs and the nature of the heuristics indicate an attempt to exploit users through deceptive content, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier clean score 0.1703

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pirac.org/wp-content/plugins/super-forms/uploads/php/files/2aded9963df069b10002414c096a905b/33782789545.pdf
    • http://clinicacomciencia.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160725456ce3c2---71760934497.pdf
    • https://forkidsvietnam.vn/wp-content/plugins/super-forms/uploads/php/files/o13jdshlc07lckcosk0kauvoaa/mikitidasinomubukovomu.pdf
    • https://www.hotwaterfactory.com.au/wp-content/plugins/super-forms/uploads/php/files/c525bfd9074fcd0baea800beccb88526/zotutidetujovinupazujizis.pdf
    • https://www.brunosistemi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606ce72198194---87470583617.pdf
    • https://amalighting.com/wp-content/plugins/super-forms/uploads/php/files/93ca0231b7f0070a57f2c3136c2ea65a/vesixozukelifigusar.pdf
    • https://arvikabc.com/images/uploadedimages/file/zalez.pdf
    • https://lightspec.ca/wp-content/plugins/super-forms/uploads/php/files/dbdf6d1a6595e5ffdc1c5515090f0f80/12813571446.pdf
    • http://andreagarciam.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606ef46a27ed9---33196272731.pdf
    • http://mijneigenlift.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160980ddae17fb---nivujok.pdf
    • http://diysmart.net/userfiles/file/dekomiju.pdf
    • https://k9-warrior.com/wp-content/plugins/super-forms/uploads/php/files/s1930o8i35b0t7u7bpdg16nk2k/89056261941.pdf
    • http://anhuicrew.com/upload_fck/file/2021-5-1/20210501152425447530.pdf
    • https://fieldofgreen.com/wp-content/plugins/super-forms/uploads/php/files/7b65000b13f3334468988e01b8d9fed2/74797902850.pdf
    • https://veritiesinstitute.com/wp-content/plugins/super-forms/uploads/php/files/cd2eba876b50048c6a049f32481f1624/24995046269.pdf
    • https://area34.info/wp-content/plugins/super-forms/uploads/php/files/svskc5s5lvfnma8c4dbjr8icm6/sajejiwisavafimuxawon.pdf
    • http://www.opentle.org
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/skout/mBVl/~3/A3Ryygt5BCM/uplcv?utm_term=vidmate+video+er+for+pc+setup
    • http://www.gnu.org/licenses/gpl.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000151f6.bin
9c212d0a11ac3bcff0d42db14cd573c5c6ba1b4ffb1bcfd4a60bf53377f74f43		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x151F6 11592 bytes
stream_006_off00019b7d.bin
2782d26f123782bd4449649cdb0775eb4e1a5ac687da2625f07c411f2461a300		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x19B7D 20256 bytes
font_00_sfnt_off000134ae.bin
a77d5a3844fb5b2065eed1d176fe480bc4f153c2d0c4bfb8f6cbaa64f3444cc8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x134AE 5292 bytes
font_01_sfnt_off0001469d.bin
b91f3c26f37c28538ed09035cbea6f9221827f1e30b50c452f08cc820bcc167b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1469D 3720 bytes
font_03_sfnt_off000171ee.bin
9545472125b2e446c539168b06eb9fe37d92417f6fa925ed364f493968f6627a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x171EE 12804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.