Malicious PDF — malware analysis report

Static analysis result for SHA-256 36f50691a0533232…

MALICIOUS

PDF

69.3 KB Created: 2021-06-11 11:34:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-11
MD5: 82212da408eec29351e3717d471da2c6 SHA-1: a6d390437370a55c51bcb6e8596f05da888d2cfc SHA-256: 36f50691a0533232afd41801ef3d58753bdeb224697d2e500ca8aa2f6e2afe68
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous links pointing to compromised WordPress sites and disposable domains, a common tactic for phishing or distributing malware. The ClamAV detection and ML classifier strongly indicate malicious intent, classifying it as a phishing trojan. The document body is heavily obfuscated and appears to be junk data, offering no direct clues to the user-facing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9678

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ketchas.ru/uplcv?utm_term=wh+questions+listening+exercises PDF link annotation
    • https://unitedcardsolutions.com/wp-content/plugins/formcraft/file-upload/server/content/files/160833c2f5ae38---83517335092.pdfIn PDF document text
    • http://chronicles.ae/userfiles/files/sopum.pdfIn PDF document text
    • http://www.musicmaestrodiscos.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1608e4110edd69---66056368691.pdfIn PDF document text
    • http://abapaposentados.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607a25fc7e351---wezigoxur.pdfIn PDF document text
    • http://mp-hd.de/data/aktualnosci_imgs/file/melos.pdfIn PDF document text
    • http://www.klimavill.com//data/editorfile/57943590091.pdfIn PDF document text
    • http://uat.ideadunes.com/projects/ideadunes-portfolio-site/wp-content/plugins/formcraft/file-upload/server/content/files/160a4f9d4113bd---76295605882.pdfIn PDF document text
    • https://ludifrance.fr/userfiles/file/putepi.pdfIn PDF document text
    • https://alatheir.com/atheirwsfiles/file/80758081138.pdfIn PDF document text
    • https://realestateconnect.biz/wp-content/plugins/super-forms/uploads/php/files/gno20bj2qq30cc6nqcuk8hilq3/pususiwazizofuzewuviwali.pdfIn PDF document text
    • http://www.brennholz-heinlein.de/wp-content/plugins/formcraft/file-upload/server/content/files/160a7d52d7d346---73287268839.pdfIn PDF document text
    • https://allcreaturesinc.com/files/files/tidesusovuvabekedaxaja.pdfIn PDF document text
    • https://sodigital.it/wp-content/plugins/formcraft/file-upload/server/content/files/160b10cb707136---4381511850.pdfIn PDF document text
    • http://vegasoft.hr/wp-content/plugins/formcraft/file-upload/server/content/files/1608104418f1ec---68998089479.pdfIn PDF document text
    • https://inchiriereelicoptere.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1607eb6ee8def8---42542123120.pdfIn PDF document text
    • https://estigotours.com/wp-content/plugins/super-forms/uploads/php/files/58088f96457219a780fdddee85aa0786/97242111010.pdfIn PDF document text
    • https://amblamy.ee/upload/file/20503431556.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fd5c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFD5C 5060 bytes
SHA-256: 341ad78b8f4a8d12814e40bf74ff395415f01e17b37eb30718408865530c7b51

Open this report in the interactive analyzer, or submit your own file for analysis.