Malicious PDF — malware analysis report

Static analysis result for SHA-256 38213ae473940131…

MALICIOUS

PDF

81.7 KB Created: 2021-07-15 10:51:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-23
MD5: 9d91c4051f64cf4ae7be81a4a73a7f5e SHA-1: bfa4a6bc242107eccd16cc25dc8c22a972705fff SHA-256: 38213ae473940131b3172f49de172544ca6d553fb9d9f9937562e1b1f4e6ed32
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains numerous embedded URLs that point to compromised WordPress sites and disposable hosting, suggesting a link farm designed to redirect users to malicious content. The presence of these links strongly indicates an attempt to lure users to external, potentially harmful, websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6048

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://allytemp.ru/uplcv?utm_term=future+form+exercise PDF link annotation
    • https://smilepath.com.au/wp-content/plugins/super-forms/uploads/php/files/ddae1c4b1e5deac0103d6fdfef8b08e9/28378256545.pdfIn PDF document text
    • http://naturallabs.fr/userfiles/file/gizugibaralumivix.pdfIn PDF document text
    • https://www.lightingsolutionsinc.net/wp-content/plugins/super-forms/uploads/php/files/d00e944428448b8b3a6d2c1754795d5e/palufisoselojenis.pdfIn PDF document text
    • https://www.certificagreen.com/wp-content/plugins/formcraft/file-upload/server/content/files/160786adece4ca---nalogebobaxudoreresijoxut.pdfIn PDF document text
    • http://pillshop.ru/uimg/files/zedixebabeseg.pdfIn PDF document text
    • http://zae.me/datafiles/file/17579705738.pdfIn PDF document text
    • http://zap-interactive.com/uploads/files/tarivajugufepokoxexe.pdfIn PDF document text
    • http://for-rent-aalst.com/wp-content/plugins/formcraft/file-upload/server/content/files/16083a90776ed6---7785818625.pdfIn PDF document text
    • http://aaaexpressac.com/userfiles/file/62647027497.pdfIn PDF document text
    • http://darstin.com/userfiles/files/vukigubabebokevib.pdfIn PDF document text
    • https://avenirpourtous.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160b73374dfbe8---juwisutomiwurisofuz.pdfIn PDF document text
    • http://www.medical-psychology.gr/wp-content/plugins/formcraft/file-upload/server/content/files/160c1f0afb2ffb---78666183680.pdfIn PDF document text
    • http://lookupagency.es/wp-content/plugins/formcraft/file-upload/server/content/files/16095087c40bf0---berifobizimebiteburusaxa.pdfIn PDF document text
    • http://pck.malopolska.pl/wp-content/plugins/super-forms/uploads/php/files/4165c9fbc99daa52eeca6bdbb56e8e02/lugudovibis.pdfIn PDF document text
    • http://ideatity.com/ckfinder/userfiles/files/91123158388.pdfIn PDF document text
    • https://vmwarts.com/ecovic/file/joromifi.pdfIn PDF document text
    • https://postelezmasivu-zlin.cz/ckfinder/userfiles/files/85248645561.pdfIn PDF document text
    • http://fatamorgana.fr/uploads/assets/file/rawewofisu.pdfIn PDF document text
    • http://tofuyatogo.com/uploads/files/dovudepigulunupokerogez.pdfIn PDF document text
    • https://pestresolution.pt/site/upload/file/dadujukubejenerus.pdfIn PDF document text
    • https://cottingham-group.com/cufiles/files/takuzowavelujonos.pdfIn PDF document text
    • https://arket.io/wp-content/plugins/super-forms/uploads/php/files/ccb2pm580lpvhhefs0et418dn7/26045106192.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000efc4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEFC4 16788 bytes
SHA-256: 6149fda4ae575db76afcc3d87e117d5653a6c1cb37b7ad9d628bd375a48acb56
font_01_sfnt_off00011bb1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11BB1 10364 bytes
SHA-256: 82040118966cb3abf1ad432190d96092dbbb600679ed88a76d49e87781d8ccd7
font_02_sfnt_off00013335.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13335 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1