Malicious PDF — malware analysis report

Static analysis result for SHA-256 354c5db10555d825…

MALICIOUS

PDF

69.3 KB Created: 2021-07-08 09:05:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: c284ac498d3fa570cb97149d4bc8c4ff SHA-1: 00a9090b45f62f2481b2684ea2a0323d349474f4 SHA-256: 354c5db10555d825be8a4d67f93630910eb73f0582a9370293fda23dc9d22776
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document is identified as a phishing lure due to its image-only nature and embedded links. The heuristics indicate it functions as a link farm, directing users to compromised WordPress upload storage, likely to facilitate the download of further malicious payloads. ClamAV detection and ML classification confirm its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5460

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 69 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ketchas.ru/uplcv?utm_term=the+whispering+hillock+witcher+3
    • https://g-ortho.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160909473c1497---lulewazev.pdf
    • https://agmatbaa.com/upload/files/tekixonufeve.pdf
    • https://www.hontoys.com.au/wp-content/plugins/super-forms/uploads/php/files/6ifq141rj8brtfkj621km3tk9c/62089536958.pdf
    • http://www.kissdocs.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160bb591977584---2346044007.pdf
    • https://ventana-sur.com/wp-content/plugins/formcraft/file-upload/server/content/files/16085f6f727a96.pdf
    • http://www.stratcareerservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607973b3ed9da---miwumoxemiwajimu.pdf
    • http://jevades.com/aircraft/fckimages/file/fitufulazobuvaber.pdf
    • https://www.asahinadigital.com/wp-content/plugins/super-forms/uploads/php/files/t29sksgnkvmbgpq4vu71uq25eq/nasogowit.pdf
    • http://www.victorian-manor.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160b26f1a3898a---wudepe.pdf
    • https://www.tonygssoulfood.com/wp-content/plugins/super-forms/uploads/php/files/b4bc7a034ad4d37553bef9ac55fcec65/jujokenevozitevuguno.pdf
    • http://alfavit.tv/userfiles/file/43098961342.pdf
    • http://abwlanham.com/uploads/files/towuweruwazutuzur.pdf
    • https://mobistore.co.nz/wp-content/plugins/super-forms/uploads/php/files/114d3d7dad2ab4850a30deb16940a53b/mufivafavumoniwo.pdf
    • https://relaxationplusmn.com/wp-content/plugins/super-forms/uploads/php/files/420cb11a34cc50f293526e43fd1f00a1/ropokizidukasuguno.pdf
    • http://www.canadavisaservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a06b177a00e---5048501601.pdf
    • http://grupogmec.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bf286d770b9---60577266539.pdf
    • https://www.cfo-search.com/wp-content/plugins/formcraft/file-upload/server/content/files/16092f71702eb7---virusab.pdf
    • https://www.booster-p.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c2837bbfa61---71933781999.pdf
    • https://divorcioconsensual.com.br/wp-content/plugins/super-forms/uploads/php/files/fca80821ccd914ef0e682a8e20cf8027/28112302189.pdf
    • https://www.axelendinggroup.com/wp-content/plugins/super-forms/uploads/php/files/d466ddb6afa0c71e47862d7b22dcdd5e/namerusub.pdf
    • https://gencshow.com/upload/ckfinder/files/nugowojalidezuridaj.pdf
    • http://aceonlinementors.com/userfiles/file/jukenemat.pdf
    • https://glosunspa.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609e00cc7a4ee---sefetowetejipuvavobaguse.pdf
    • http://kaufdeinauto.de/wp-content/plugins/formcraft/file-upload/server/content/files/16075ebaa69117---lirumumesirisafovavazux.pdf
    • http://kaufdeinauto.de/wp-content/plugins/formcraft/file-upload/server/content/files/160983663aeaff---wagufikoso.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.