Malicious PDF — malware analysis report

Static analysis result for SHA-256 36e84311a7b95204…

MALICIOUS

PDF

81.8 KB Created: 2021-06-26 12:25:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14
MD5: 943f8d11ae47dc32b5c15ecb777e77e7 SHA-1: c9ea9b17b4dc089fd85ba49e06c47e2d59d2ebaf SHA-256: 36e84311a7b95204c3b51b818e5821819f2e3dfc432e3870bc7a973b63cbe847
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains numerous embedded URLs that form a link farm, directing users to compromised WordPress upload directories and other disposable hosting sites. The ClamAV detection as 'Pdf.Phishing.Trojan' strongly suggests a malicious intent, likely to lure users into clicking malicious links for phishing or malware downloads. No scripts were extracted, but the structure and URL patterns are indicative of a phishing or redirection campaign.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4045

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://oniceh.ru/uplcv?utm_term=fully+compensated+metabolic+alkalosis PDF link annotation
    • http://hillcountryawningsandsunscreens.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607fb735cb77d---22300021510.pdfIn PDF document text
    • https://mamproducciones.es/wp-content/plugins/formcraft/file-upload/server/content/files/1606d353ad74ae---54290350617.pdfIn PDF document text
    • https://ncfouting.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608615d2128be---91948840270.pdfIn PDF document text
    • http://envigest.cz/upload/file/85606166637.pdfIn PDF document text
    • http://vegasoft.hr/wp-content/plugins/formcraft/file-upload/server/content/files/160a29ad3e10c1---90980946036.pdfIn PDF document text
    • http://www.ellisrasbetonwerke.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1607288968a5e0---71107297631.pdfIn PDF document text
    • http://thuduchouse.vn/pics/file/vutexarelixa.pdfIn PDF document text
    • http://www.onekaddy.com/wp-content/plugins/formcraft/file-upload/server/content/files/160778fc84dac1---xajaro.pdfIn PDF document text
    • https://118highschool.am/wp-content/plugins/super-forms/uploads/php/files/f8e2d29947e4527330f2da2d25b03416/46372790196.pdfIn PDF document text
    • https://costumeworld.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608f2545620ca---sawetozufukuwetubab.pdfIn PDF document text
    • http://scheiden-maassluis.nl/uploads//file/vudedewijigomivu.pdfIn PDF document text
    • http://hellnocancershow.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d430ce2d28---mopor.pdfIn PDF document text
    • http://hi-techfiber.com/userfiles/file/pubixujikodotinurovol.pdfIn PDF document text
    • https://imapcb.org/wp-content/plugins/super-forms/uploads/php/files/27584f39e2f95a20553715b3acc77540/roveto.pdfIn PDF document text
    • https://apoc.com.au/wp-content/plugins/super-forms/uploads/php/files/f489c926bba06ed8d9734d65f1edcb08/2056299016.pdfIn PDF document text
    • https://ccveg.org/wp-content/plugins/super-forms/uploads/php/files/vglc9b9g9mu5aqgcniip3mq6uk/98691613357.pdfIn PDF document text
    • https://trucraftsmanship.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bd22d422bb1---78401009238.pdfIn PDF document text
    • http://hellnocancershow.com/wp-content/plugins/formcraft/file-upload/server/content/files/16077e70a31193---movukosufamisixo.pdfIn PDF document text
    • https://selectwifi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d5f10f1072---minorirezu.pdfIn PDF document text
    • https://www.elitelawnsolutions.co.uk/wp-content/plugins/super-forms/uploads/php/files/4s7kk14528nmq2sg3pu0b77a53/6004632802.pdfIn PDF document text
    • https://www.baileysmilk.com/wp-content/plugins/super-forms/uploads/php/files/7ed2abaf34ebe50d72c17f460a653e61/15622941468.pdfIn PDF document text
    • https://propbrains.com/wp-content/plugins/super-forms/uploads/php/files/hom02hssm9l6p5hsblncv87803/vuzuzaj.pdfIn PDF document text
    • http://boulderdivorcelaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/160882813c2adc---89408638734.pdfIn PDF document text
    • http://www.pirac.org/wp-content/plugins/super-forms/uploads/php/files/c290cedc2eb9a2eb111542c1702df3b6/16530897107.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f073.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF073 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0001088a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1088A 10996 bytes
SHA-256: 79cc87ae4cb6eb0acfe99ec5d9443aacae9b9319ddb85b0d2df6cc79720594d4
font_02_sfnt_off000121e4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x121E4 16472 bytes
SHA-256: 66c9a441a8660a2564442f09ea066545900cbb54e4d75652a1e9d3721b5f8371