Malicious PDF — malware analysis report

Static analysis result for SHA-256 38e3ffa455838ba6…

MALICIOUS

PDF

69.5 KB Created: 2021-06-07 04:46:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: f66c8c39df61eac4c4fcdcd834a41514 SHA-1: 98c99ed2a6d0f9d2c7e6cfd063af6f81ef379142 SHA-256: 38e3ffa455838ba65b221b870f8c2811032e40f0d5db3c5b0962bdc7700b7a2c
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links to external URLs, many hosted on compromised WordPress sites, suggesting a phishing or malware distribution attempt. The document body, though heavily obfuscated, appears to be a lure related to employment attestations. The presence of multiple PDF-specific heuristics indicating malicious links and compromised CMS uploads strongly supports a malicious intent, likely to download a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8302

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pixomot.ru/uplcv?utm_term=cerfa+attestation+pole+emploi+vierge+remplissable PDF link annotation
    • http://gsoam.ge/wp-content/plugins/formcraft/file-upload/server/content/files/160b0f1e68dc18---32448099993.pdfIn PDF document text
    • http://jockmurray.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ad997ba64be---pumiduwujiw.pdfIn PDF document text
    • http://www.sunarnuricomuisvealisverismerkezi.com/wp-content/plugins/super-forms/uploads/php/files/bkc4tklaecq16khclnmaa9eek2/sosotibejamemotovejalu.pdfIn PDF document text
    • http://victorylimo1.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b5e23721fdd---76410860565.pdfIn PDF document text
    • https://www.beachesbrewing.com/wp-content/plugins/super-forms/uploads/php/files/01859b97297b71629b79a38958d5eb22/52998981392.pdfIn PDF document text
    • https://f1com.ge/wp-content/plugins/super-forms/uploads/php/files/688535c81d8371ecd8ebe5c7fb300e78/pabirejegawagitis.pdfIn PDF document text
    • http://elonsummerstorage.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ac2e19537ca---malewubowosuxaximig.pdfIn PDF document text
    • https://www.toptalentusa.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a85df7c6541---57022152843.pdfIn PDF document text
    • https://graffitipaintstudio.com/wp-content/plugins/super-forms/uploads/php/files/6881fe8610fd566e5728b0be2154e8b2/47411974468.pdfIn PDF document text
    • http://albino-pitti.com/pub_img/file/45478173149.pdfIn PDF document text
    • https://thejinglelab.com/wp-content/plugins/super-forms/uploads/php/files/1rcmk9msqd34u28h6v13qnka7l/26235257463.pdfIn PDF document text
    • http://podlahypilat.cz/admin/file/malasokulaxogi.pdfIn PDF document text
    • https://personalloan2u.com/wp-content/plugins/super-forms/uploads/php/files/51c662472a76d332141970ba02396452/80045259002.pdfIn PDF document text
    • https://cullinanconstruction.com/wp-content/plugins/super-forms/uploads/php/files/fkp6dhvv59s27kapta6q6upci3/22178305758.pdfIn PDF document text
    • https://evenimentecastel.ro/wp-content/plugins/super-forms/uploads/php/files/t264uu6u7nacc3os89370rb5o4/11726552298.pdfIn PDF document text
    • https://www.parkgest.ch/wp-content/plugins/formcraft/file-upload/server/content/files/1609611c36e2a2---lekavixomazijozunalaru.pdfIn PDF document text
    • http://aklond.com/UploadFilesfile/%5C/2021051003172823.pdfIn PDF document text
    • http://gtshotel.it/images/file/19455706727.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f813.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF813 5324 bytes
SHA-256: 758f9209e13a9b3abe85f3f0d95320b0318533e52f4c0c61b7152eafadb557ed