Malicious PDF — malware analysis report

Static analysis result for SHA-256 2fed9bac9eb34ba0…

MALICIOUS

PDF

73.6 KB Created: 2021-05-21 03:14:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ff63b3ee7fd84df1e325f385e6b1943f SHA-1: 45547e6e9b2852b1fa699d012757bfa08bfe1721 SHA-256: 2fed9bac9eb34ba07e254667fadc535ce3e91e3185e5f0f8096f89653af77054
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous links to compromised WordPress sites, suggesting it's part of a link farm designed to distribute malicious content. The presence of a URL with a 'utm_term' parameter related to a book title indicates a lure to trick users into downloading further malicious PDFs. The ClamAV detection and ML classifier strongly indicate malicious intent, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9291

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://wastran.ru/uplcv?utm_term=the+norton+introduction+to+literature+12th+edition+pdf+reddit
    • http://viaterrestre.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607309b9852ca---50145052329.pdf
    • https://precisionautoandac.com/wp-content/plugins/super-forms/uploads/php/files/d02028366f1e88160993ce696c325872/56836533825.pdf
    • http://www.empresasdelimpeza.info/wp-content/plugins/formcraft/file-upload/server/content/files/1607d3cef82604---81218884656.pdf
    • http://zawayakw.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c8724cdeec---56297104402.pdf
    • http://countrysquirefoods.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f5099e7a47---bexud.pdf
    • https://indacphuc.com/wp-content/plugins/super-forms/uploads/php/files/7e4pv5at2953heeq4vgptso5un/58502514277.pdf
    • https://journeypeople.cc/wp-content/plugins/super-forms/uploads/php/files/68966d00ea461ca08371be12db8c4d3b/dupukovarid.pdf
    • https://agrotehholding.ru/wp-content/plugins/super-forms/uploads/php/files/6243ee399383f35ccea2eb128d876524/15816268875.pdf
    • http://www.hptindia.com/wp-content/plugins/formcraft/file-upload/server/content/files/160780d3aaef79---bamibokibubegegexibak.pdf
    • http://harasim.cz/uploaded/files/womosuwomejiluduzezod.pdf
    • http://trainternational.in/wp-content/plugins/formcraft/file-upload/server/content/files/1608dcda072183---rewinomekenozodazeva.pdf
    • https://mandalaconfeccao.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16081bafcde750---52700303071.pdf
    • http://ekolojikweb.net/upld/userfiles/file/79719225495.pdf
    • https://telewebmarketing.com/FCKeditor/file/betanudesunopoge.pdf
    • http://104.156.58.56/~web2inbox/wp-content/plugins/formcraft/file-upload/server/content/files/1606ceb6124aed---48114209500.pdf
    • https://www.dyna-tech.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1608854a492e18---darimitonufubudobuvejosez.pdf
    • http://zaun-produzent.de/userfiles/file/laxesa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df8b.bin
589fc6721b4a7dd0fff02cf8e882fc768af68dcf4cea32aa2d4fabf68e138004		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF8B 5080 bytes
font_01_sfnt_off0000f0c6.bin
b6a89b2dfa025d1e010cda73677c183baad2c1020740b0c436e21bcf5e3d4bd4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF0C6 12092 bytes
font_02_sfnt_off0001191d.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1191D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.