Malicious PDF — malware analysis report

Static analysis result for SHA-256 3238a4b65d099b4c…

MALICIOUS

PDF

101.5 KB Created: 2021-08-19 03:48:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: 09142dfbfe348ec611bb3287cddded27 SHA-1: 848311f606044f6e0dbc1c76dcb17f3e5b662cb7 SHA-256: 3238a4b65d099b4cee9e1b54a9f386c759027535aa65471aed99a7850b076fd9
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF was flagged by ClamAV as a phishing trojan and a machine learning classifier indicated maliciousness. It contains numerous links to disposable hosting and compromised WordPress upload directories, suggesting it's part of a link farm designed to distribute malware or lead to phishing pages. While no scripts were explicitly extracted, the PDF structure and link farm behavior are indicative of a malicious document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8677

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://southportrubbish.com/wp-content/plugins/formcraft/file-upload/server/content/files/160aaf6c1009c9---70983640799.pdf In PDF document text
    • http://udemadriatic.com/userfiles/files/32162011650.pdfIn PDF document text
    • http://sunmoon-glory.com/web/upload/files/muvevulakijuvek.pdfIn PDF document text
    • http://peaceinsrilanka.lk/ckfinder/userfiles/files/98246095885.pdfIn PDF document text
    • http://www.asejnrtigers.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160a8cf3a58e38---55080306950.pdfIn PDF document text
    • http://netflor.pl/upload/File/1799698891.pdfIn PDF document text
    • http://morgancountyoh.com/userimages/todisuvemafefuxixilunevux.pdfIn PDF document text
    • http://entone.es/wp-content/plugins/super-forms/uploads/php/files/edd818f2171e7332c021c480e322eda1/silizamudikoratas.pdfIn PDF document text
    • http://www.uvhk.com/wp-content/plugins/formcraft/file-upload/server/content/files/160aceeccc2a0d---61659940577.pdfIn PDF document text
    • https://christianboudreau.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c4fcbc6d1b---tevumiteke.pdfIn PDF document text
    • http://yer-krasnodar.ru/ckfinder/userfiles/files/46858360707.pdfIn PDF document text
    • https://leicht-spb.ru/wp-content/plugins/super-forms/uploads/php/files/de8eaf7e0f9af5ee0385f493b50bd058/xavijisodira.pdfIn PDF document text
    • http://hattrick-sports.com/wp-content/plugins/formcraft/file-upload/server/content/files/16085dd4f93224---40189059206.pdfIn PDF document text
    • http://cargo3030.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160755341449f6---25183351729.pdfIn PDF document text
    • https://genegurumiraclehealer.com/userfiles/file/22748852069.pdfIn PDF document text
    • http://stacjaregeneracja.pl/userfiles/file/bemuwiregabame.pdfIn PDF document text
    • http://darec.sk/files/files/9248875422.pdfIn PDF document text
    • http://liccuza.ro/stiri_files/file/sixevu.pdfIn PDF document text
    • http://mtlebanon62.com/clients/5/5e/5ee551a8be14a26d7d76bc5e90dd1372/File/wixobosav.pdfIn PDF document text
    • http://pileshoppen.dk/userfiles/file/47821658902.pdfIn PDF document text
    • https://777mto.com/contents//files/jinutakovixafo.pdfIn PDF document text
    • http://littlepearlspublishing.in/data/eimages/file/gipedutugamugumovap.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/3vuEKuznOb8/uplcv?utm_term=can+you+download+minecraft+story+mode+on+pcPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000157c9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x157C9 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off00016fe0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16FE0 11112 bytes
SHA-256: 629d60e8d7665a78cbc6025304388d7a6c616fa1eb1d293f41434f311e52383e