Malicious PDF — malware analysis report

Static analysis result for SHA-256 336f19e6d6bf6422…

MALICIOUS

PDF

68.0 KB Created: 2021-09-04 18:23:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: f935b74ca76e84b35012801108814fc0 SHA-1: 83305bb8050ca493893640004c8f3a4360ea756b SHA-256: 336f19e6d6bf6422e9de221d9dacb6a38224bba722c47826eecfc2dd3ac2589f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier. It contains numerous links pointing to compromised WordPress sites and disposable hosting, suggesting a link farm designed to redirect users. The presence of embedded URLs and the nature of the heuristics indicate a phishing or malware distribution attempt, likely initiated via spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7965

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://catamma.ru/uplcv?utm_term=nuclear+power+plant+accidents+pdf PDF link annotation
    • http://3bbb.fr/ckeditor/upload/files/zanipi.pdfIn PDF document text
    • https://skyfireconsulting.com/wp-content/plugins/super-forms/uploads/php/files/6sqd1ivka5to7mlbipluko4m3l/95518542063.pdfIn PDF document text
    • https://honghow.com/ckfinder/userfiles/files/84873323776.pdfIn PDF document text
    • http://th-hl.com///upload/files/31850454914.pdfIn PDF document text
    • http://bangtaisay.com/uploads/userfiles/file/dewudaw.pdfIn PDF document text
    • http://netisiletisim.com/guvennet/resimlerfiles/5651646626.pdfIn PDF document text
    • https://ketgate.eu/wp-content/plugins/super-forms/uploads/php/files/34e432012e749b8d8c73f5cfc28e4568/91469558619.pdfIn PDF document text
    • http://www.x454.com/wp-content/plugins/super-forms/uploads/php/files/l8modggq450hvcfkntc7tspf60/rirekugatorevepekakiraji.pdfIn PDF document text
    • http://veterinariacasettamattei.it/userfiles/files/20773233486.pdfIn PDF document text
    • http://churchliferesources.org/wp-content/plugins/formcraft/file-upload/server/content/files/1610e7eaac0d87---xobomususasomulemusizur.pdfIn PDF document text
    • https://www.straightmyteeth.eu/wp-content/plugins/super-forms/uploads/php/files/b6c01ce75500a357e5fa73a62aa17c15/lugaketapefeba.pdfIn PDF document text
    • http://tks-forever.com/upload/2021/07/16/file/toreburejitakoviwefo.pdfIn PDF document text
    • http://ferrocom-spb.ru/userfiles/files/4828666847.pdfIn PDF document text
    • http://www.prunay-en-yvelines.fr/ckfinder/userfiles/files/43071139324.pdfIn PDF document text
    • https://icon-studios.com/userfiles/file/kujubaferavamof.pdfIn PDF document text
    • http://infrabud.eu/fckpliki/file/zapep.pdfIn PDF document text
    • https://studiogreenwich.ru/wp-content/plugins/super-forms/uploads/php/files/e421ed44e8b30594eec7023451f43d60/90828529432.pdfIn PDF document text
    • http://carriewoodfamily.com/clients/5/5b/5b9f2fb360c4065436fb7fe1267c3612/File/23897465241.pdfIn PDF document text
    • https://idfusionllc.com/wp-content/plugins/super-forms/uploads/php/files/aa6e7218915aec9bd5c4ae352e4f3e3c/92458813507.pdfIn PDF document text
    • http://www.orarestauratorisaf.it/wp-content/plugins/formcraft/file-upload/server/content/files/160962ce616ab2---pegexurirunewat.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e1c5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE1C5 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1