Malicious PDF — malware analysis report

Static analysis result for SHA-256 3553b153dd8ced5c…

MALICIOUS

PDF

79.0 KB Created: 2021-05-23 16:42:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0d7c2ee5e026de0c207422a88d1d0265 SHA-1: 492d76df244a37554f495aed06d6260f5b392168 SHA-256: 3553b153dd8ced5c3175b3fe80703107e90872b5bb9c44b51799bcea860d2153
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous embedded URLs, many of which point to compromised WordPress sites. The ClamAV detection and ML classifier strongly indicate malicious intent, likely phishing or malware distribution. The document body's garbled content suggests it's not intended for direct user consumption but rather to host links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7637

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.icslights.com/wp-content/plugins/super-forms/uploads/php/files/323510295ee623ee18158de043bad01e/73420553633.pdf
    • http://kaplanpm.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a626e0d5493---vexinukew.pdf
    • https://www.pietri-automobiles.com/wp-content/plugins/super-forms/uploads/php/files/hd7tvi3cgi42mm25ftefg03kgr/waginajotij.pdf
    • https://www.rowtheerne.com/wp-content/plugins/super-forms/uploads/php/files/c1fc8a1b35741acbadd00f013ac89d70/dotajudekipib.pdf
    • http://www.jindatunnel.com/up_files/file/tevunapibeva.pdf
    • http://www.kindytennis.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608672eb3a1b6---wowewadag.pdf
    • http://asianmosaicnyc.com/userfiles/file/vijitagagawi.pdf
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608016598baa8---noripaw.pdf
    • https://best-turbos.com/wp-content/plugins/super-forms/uploads/php/files/3b02dbc4eb46e0220bd4ee6d0640710d/78887630626.pdf
    • http://goref.ru/files/file/35626430123.pdf
    • https://notofthisgalaxy.com/wp-content/plugins/super-forms/uploads/php/files/1res0ehin3q65ejjaa7tqi73sv/dusini.pdf
    • https://bettenbaehren.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607632732ab3e---pimuvotufof.pdf
    • https://laihouston.com/wp-content/plugins/super-forms/uploads/php/files/3433840cf26ff3f4f5a12a7f1b570631/88891097481.pdf
    • https://greshamgilessalon.com/wp-content/plugins/super-forms/uploads/php/files/3505d3b5295de505d005d4531407d37e/13290258520.pdf
    • https://www.entornopublicitario.com/wp-content/plugins/super-forms/uploads/php/files/60d1abd99cd798309774ea731c1db6c2/5924841685.pdf
    • https://www.skyline-recruiting.com/wp-content/plugins/super-forms/uploads/php/files/449631f0289250fdb5ffc2d98d06496b/dosixapogufekezevufilun.pdf
    • https://www.alignerco.ca/wp-content/plugins/super-forms/uploads/php/files/504a638ff206d7f3b9ec96f7df21295a/23904395398.pdf
    • http://www.britocunhaadvocacia.com.br/home/wp-content/plugins/formcraft/file-upload/server/content/files/160778fdd6bfc3---xogebelaxewerulaxaxasozib.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/fzgW7-mxBc0/uplcv?utm_term=shawshank+redemption+tamil+dubbed+movie+tamilyogi
    • http://dejavu.sourceforge.net
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_010_off000132e7.bin
6ad4b429fdea13a33bf2c30e96315f53f4135c87e5dbadbead006a7a91869a68		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x132E7 4827 bytes
font_00_sfnt_off0000e109.bin
d4a55dea8396eff8e00944d3f1e5fa7cc674cc431bb2bdc3974fb5078d32445c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE109 5936 bytes
font_01_sfnt_off0000f528.bin
3bbbab359ba9c278e50c71ede343b6e88ea009d9b09dcb11b88669df62c0435c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF528 2264 bytes
font_02_sfnt_off0000fef7.bin
69ef156bf5e94b7106f84927f627339f90f0e7dff59f55957ac658c97cc82dfb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEF7 6600 bytes
font_03_sfnt_off00011082.bin
cc98bf081846c4043dcda3c9b0fa2db528c846efc30397efd92443087572765f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11082 10080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.