Malicious PDF — malware analysis report

Static analysis result for SHA-256 38eec6666583d1a8…

MALICIOUS

PDF

77.6 KB Created: 2021-08-29 13:59:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-27
MD5: 90a5c098624a508e96c257768748bb6a SHA-1: 5fc2eb506fada80ea9c67dd35a6f73f32c3c7335 SHA-256: 38eec6666583d1a800a53458ebc3c97f3603e57588672cbc64aacad766e14a9a
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF was detected by ClamAV as 'Pdf.Phishing.Trojan'. Static analysis revealed it functions as a link farm, with numerous URLs pointing to compromised CMS upload directories. One prominent URL, http://chagatea.ru/wp-content/plugins/super-forms/uploads/php/files/31cbc2fa638ae776f51120dcd42a9854/70791800476.pdf, is specifically flagged as a compromised CMS upload link. This suggests the PDF is designed to lure users into clicking links that may lead to further malicious content or exploits.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3043

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://chagatea.ru/wp-content/plugins/super-forms/uploads/php/files/31cbc2fa638ae776f51120dcd42a9854/70791800476.pdf In PDF document text
    • http://dunajecbiala.pl/upload/File/zijanagexawugu.pdfIn PDF document text
    • http://drukarnia-warszawa.pl/pliki/file/potuliti.pdfIn PDF document text
    • http://uniondeautoescuelas.com/wp-content/plugins/formcraft/file-upload/server/content/files/1611f4f9456fc8---33478120105.pdfIn PDF document text
    • http://simpelms.nl/userfiles//files/66666688092.pdfIn PDF document text
    • http://mosjob.ru/images/file/45822330014.pdfIn PDF document text
    • http://grupogmec.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f4e8dd9ad7---92607761618.pdfIn PDF document text
    • http://lovepetclinics.com/file_media/file_image/file/detemipug.pdfIn PDF document text
    • http://allasclub.com/campannas/file/dadibuwowabenonuwonomu.pdfIn PDF document text
    • https://freebcard.com/ckfinder/userfiles/files/bidolivadisozoluxafowirex.pdfIn PDF document text
    • http://enricobarraco.com/files/28945026950.pdfIn PDF document text
    • http://sieckultury.pl/wp-content/plugins/super-forms/uploads/php/files/dd177ae5ca21b293f84ff5c044924afe/56059651164.pdfIn PDF document text
    • https://gamletaarnhuset.no/wp-content/plugins/formcraft/file-upload/server/content/files/1607a41b6ea073---wexatotubobafujimuwoj.pdfIn PDF document text
    • https://educationindiajournal.org/ckfinder/userfiles/files/65549751106.pdfIn PDF document text
    • https://hirurgija.me//files/83620599922.pdfIn PDF document text
    • https://hondamienbac.vn/userfiles/file/24920512079.pdfIn PDF document text
    • https://www.criteriainvest.com.br/wp-content/plugins/super-forms/uploads/php/files/1v0u3ei44ckngmmubjl409r6bk/lobosenumo.pdfIn PDF document text
    • https://www.mybizwebsites.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d7b0ae78184---laleta.pdfIn PDF document text
    • http://ulv-fogger.es/d/files/zutatupilugovebire.pdfIn PDF document text
    • https://abofahed.com/userfiles/file/wukidapejamuwowovoj.pdfIn PDF document text
    • https://drmarlenebothma.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/16076b90bc00fa---27460841811.pdfIn PDF document text
    • http://mashtalkandil.com/userfiles/file/rijafevavugotibolaxal.pdfIn PDF document text
    • http://pmdrecycling.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c19d32639e9---23322465206.pdfIn PDF document text
    • https://harpethvalleypto.org/wp-content/plugins/super-forms/uploads/php/files/48db2b032a0d0d9cab16e28bef20e2fe/35068059088.pdfIn PDF document text
    • https://adiwirawanbali.com/wp-content/plugins/super-forms/uploads/php/files/37e80ddd23471a6e9d75eecd7aa699b8/jerivazux.pdfIn PDF document text
    • http://www.louthadventures.ie/wp-content/plugins/formcraft/file-upload/server/content/files/1607a22996e8ea---wawanigoseruvupojikokixo.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/PmAiG5ZyT-k/uplcv?utm_term=catapult+made+of+popsicle+sticksPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb46.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEB46 10800 bytes
SHA-256: 08647d7fc3eb8402b9516bd93fb99ed7321a866793c1c7573411519966373631
font_01_sfnt_off00010437.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10437 17876 bytes
SHA-256: e0804af2b1c3024b139f9be171562040647ab4481fe24e297bfc00912c60ee93