Malicious PDF — malware analysis report

Static analysis result for SHA-256 3859fb7c9aed1803…

MALICIOUS

PDF

70.9 KB Created: 2021-09-21 08:59:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: 5e0b1b2b57bc319f2cb72ed99c4cc609 SHA-1: e1a04f7fc96c7f6e2a6ad4d297b7676413244716 SHA-256: 3859fb7c9aed1803c474a0fb660c6b4ff848bfb51ed5bc959a4ff82943e5e112
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded URLs pointing to compromised WordPress upload directories and other disposable hosting sites, indicating a link farm designed to redirect users. ClamAV detected this as a phishing trojan. The presence of external URIs and a link farm heuristic strongly suggests a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9013

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crewmak.ru/uplcv?utm_term=vice+city+android+1 PDF link annotation
    • http://joshuadacosta.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613498cb42477---84834995711.pdfIn PDF document text
    • http://archiw.bibliotekalesmierz.eu/img/upload/files/kawavazezajagixidodi.pdfIn PDF document text
    • https://matricula.arendic.cl/files/kopopakumoladenew.pdfIn PDF document text
    • http://nyitotthaz.hu/userfiles/files/gaxilozujofelanufezuwelor.pdfIn PDF document text
    • http://energyexcess.com/userfiles/file/32492518549.pdfIn PDF document text
    • http://asbufestival.com/uploads/FCK_files/file/fujepanajatisixosi.pdfIn PDF document text
    • http://80tner.friend-match.com/upload/files/8772170900.pdfIn PDF document text
    • https://vegan-eshop.cz/data/file/20004605115.pdfIn PDF document text
    • http://coming-c.com/userfiles/file/sotamaluxobarilugoguvidu.pdfIn PDF document text
    • https://happycustomerservice.com/wp-content/plugins/super-forms/uploads/php/files/8b2050b293d743b7a50a705e57f53a78/69758884788.pdfIn PDF document text
    • http://vipdiler.ru/files/file/83117488840.pdfIn PDF document text
    • http://wecans.net/_UploadFile/Images/file/48028443.pdfIn PDF document text
    • http://chinajnbt.com/images/upload/File/vepubajumeg.pdfIn PDF document text
    • https://italvaping.com/file/11152812407.pdfIn PDF document text
    • https://nedimgame.net/calisma2/files/uploads/92315687233.pdfIn PDF document text
    • http://pileshoppen.dk/userfiles/file/rodofemopig.pdfIn PDF document text
    • https://kakvkusno26.ru/wp-content/plugins/super-forms/uploads/php/files/cb6534580f25995bcbb183ddcfb0e137/1186642690.pdfIn PDF document text
    • http://mouaumfb.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613a93e8ef90e---firudegel.pdfIn PDF document text
    • http://geometracosentino.com/userfiles/files/60812828788.pdfIn PDF document text
    • http://vizit-k.net/uploads/editor/files/bataja.pdfIn PDF document text
    • https://gz-topstar.com/wp-content/plugins/super-forms/uploads/php/files/df5743b6536879e58e362a995d61f196/bukosupulomovepul.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c4c0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC4C0 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000dcd2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDCD2 16364 bytes
SHA-256: a0778d9c5c80f628c579078f73aed31793f790a9cd30efd2bb849b0db6fd80f6
font_02_sfnt_off000106dd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x106DD 10284 bytes
SHA-256: 5f57c3c0549203243f7974f7aff62caf7a34479ebaef7ab0d44a7b46c63e5c7e