Malicious PDF — malware analysis report

Static analysis result for SHA-256 347620ea46884124…

MALICIOUS

PDF

81.8 KB Created: 2021-07-15 20:46:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-27
MD5: 60be3cce77f21f9081471a5cc4eee925 SHA-1: 6d4d8c42bf5aee50267d9c6258b4ab70e646c11d SHA-256: 347620ea468841248646ca640abfb5633d3f11fcd88d2625a90071ae886bec1a
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was identified as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It functions as a link farm, containing numerous URLs pointing to compromised WordPress upload directories. These links likely serve as a distribution mechanism for further malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6827

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://careerhack.net/wp-content/plugins/formcraft/file-upload/server/content/files/160af2beec0d76---56983245959.pdf In PDF document text
    • http://a-range.ru/wp-content/plugins/formcraft/file-upload/server/content/files/16070c79f06902---pevuwikogofurarumetojexuf.pdfIn PDF document text
    • http://ophtalmic-overnight.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1608785f338d7f---13311414708.pdfIn PDF document text
    • https://amitadevnani.com/userfiles/file/12531672811.pdfIn PDF document text
    • https://asiastudy.in/ckfinder/userfiles/files/denipefufawafur.pdfIn PDF document text
    • http://dirabrealtors.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072910d98750---judamisudujigediwiripav.pdfIn PDF document text
    • http://jrmhandling.nl/upload/file/buseruderoriziveme.pdfIn PDF document text
    • http://www.kzhep.in.ua/wp-content/plugins/super-forms/uploads/php/files/a1nh9tusbv5agjtco9freo5137/625674354.pdfIn PDF document text
    • http://agnieszkapawlik.com/userfiles/file/40044342398.pdfIn PDF document text
    • https://bodwellassociates.com/wp-content/plugins/super-forms/uploads/php/files/f78bd9704de164f145804359b0d09e01/66901296648.pdfIn PDF document text
    • http://15fratrowreunion.com/clients/2/2b/2b18ccadde375fd95e9ac2d5db5aaa67/File/laralineleluxugezulezoxe.pdfIn PDF document text
    • http://www.fattyweng.com.sg/wp-content/plugins/formcraft/file-upload/server/content/files/1607c980ccfdd3---3237355736.pdfIn PDF document text
    • http://www.phonefixcomo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a5350c6135a---bizoviro.pdfIn PDF document text
    • https://www.advids.co/wp-content/plugins/formcraft/file-upload/server/content/files/160b1e4b881d6c---102998624.pdfIn PDF document text
    • https://webmodeli.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d35a1aba40a---18599749881.pdfIn PDF document text
    • https://flylights.pl/wp-content/plugins/super-forms/uploads/php/files/vbvr69flcm17ir92l61ur25fj1/32954381052.pdfIn PDF document text
    • https://sardavetri.it/userfiles/file/36810148294.pdfIn PDF document text
    • https://aynadakikemalizm.com/resimler/files/59617562738.pdfIn PDF document text
    • https://tantecoccole016.it/file/fifadujukidiji.pdfIn PDF document text
    • http://kwong-cheong.com/userfiles/rujidajenulosawapex.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/3CAf4wW3hvY/uplcv?utm_term=miracle+berry+side+effectsPDF link annotation

Open this report in the interactive analyzer, or submit your own file for analysis.