Malicious PDF — malware analysis report

Static analysis result for SHA-256 35fb25ba810eee3e…

MALICIOUS

PDF

76.5 KB Created: 2021-06-12 14:19:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-12
MD5: b908ac4f837e81ff240390a49aa7d82b SHA-1: a35172f0e78f14d2aa6001da744380cb9968d22a SHA-256: 35fb25ba810eee3e274442c04f2068a8f2fa4e66ab16671f41996699b51ca524
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous external links, many pointing to compromised WordPress sites, suggesting it functions as a link farm to distribute phishing content or malware. The presence of embedded URLs and the overall structure point towards a spearphishing attachment attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9239

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pistant.ru/uplcv?utm_term=flywings+mod+apk PDF link annotation
    • https://travolution.travel/wp-content/plugins/super-forms/uploads/php/files/befe7ad541c57ee761618987f8631f65/16088957457.pdfIn PDF document text
    • http://informerfitness.com/wp-content/plugins/super-forms/uploads/php/files/a88c929b2497096c9eefba1a88265abd/16765732594.pdfIn PDF document text
    • http://vdgairconditioning.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16091e5fc6a198---72947325640.pdfIn PDF document text
    • http://tikatalog.sk/_files/file/9153144575.pdfIn PDF document text
    • https://adbetelparaguay.com/wp-content/plugins/super-forms/uploads/php/files/0419e0d1eb81d1f833c5249823e9009b/dosagumolisexe.pdfIn PDF document text
    • http://andreagarciam.com/wp-content/plugins/formcraft/file-upload/server/content/files/16083fcfe19899---jawepud.pdfIn PDF document text
    • https://ascinfratech.com/clientprojects/trading/file/49636812102.pdfIn PDF document text
    • http://anaminfo.com/attachfile/file/sofufonuwawividuxomid.pdfIn PDF document text
    • https://prikolnaya.com/wp-content/plugins/super-forms/uploads/php/files/e65d72d8bf9b73cd1ca59f6ad80be45c/11934252253.pdfIn PDF document text
    • https://dazzlin.co.uk/wp-content/plugins/super-forms/uploads/php/files/53019e570b6a7624e87336ba5acd394d/26887253875.pdfIn PDF document text
    • http://whatdwellswithin.com/file/86208494582.pdfIn PDF document text
    • https://2greenchicks.com/wp-content/plugins/super-forms/uploads/php/files/501604b037898f446f3c2a76b4a29ffb/fepapaliwinawarevi.pdfIn PDF document text
    • http://www.davidwoodpersonnel.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608d60c376cb8---wuripegobakasepozimoxog.pdfIn PDF document text
    • https://www.kbstephens.com/wp-content/plugins/super-forms/uploads/php/files/2d9dc79996a0b865e27758e725d2b100/53238201000.pdfIn PDF document text
    • http://eduomania.com/wp-content/plugins/formcraft/file-upload/server/content/files/16086ddc8af2cf---ganubemiza.pdfIn PDF document text
    • http://chocolatycakes.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b8fb923a4b9---xizodizujijufowozaga.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df56.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDF56 4988 bytes
SHA-256: 44f2d972ad92b9518ea3deb705574ee94e1f2af2b25416d69fefc0182b31d078
font_01_sfnt_off0000f03e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF03E 20632 bytes
SHA-256: 035b8076b978d788db7bc698fa7662f4e2bc236da1299d4f07708e57b2de865f
font_02_sfnt_off000120e0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x120E0 4324 bytes
SHA-256: 1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e