Malicious PDF — malware analysis report

Static analysis result for SHA-256 395b7b18e80778ac…

MALICIOUS

PDF

101.5 KB Created: 2021-06-13 21:32:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-31
MD5: fe900545d099d3da8b868d2ff89b4719 SHA-1: a89d92cd882956f62dc882b9c0e30a4149a80d3a SHA-256: 395b7b18e80778ac92eb4b1d88dbbbb3212c0eed2473eb1425653a06f9ec7a3b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains numerous embedded links, many of which point to compromised WordPress sites, suggesting a phishing or malware distribution campaign. The heuristic firings indicate a link farm strategy, with URLs often containing "utm_term" parameters, commonly used in phishing lures. The ML classifier and ClamAV detection strongly indicate malicious intent, likely to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7989

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cructi.ru/uplcv?utm_term=moon+confidant+guide PDF link annotation
    • http://www.peopleoftheheath.com/wp-content/plugins/formcraft/file-upload/server/content/files/16082a65d57835---86481009273.pdfIn PDF document text
    • https://sg-design.top/wp-content/plugins/super-forms/uploads/php/files/803df55039138f8a80d32cfb0385f57f/zutajax.pdfIn PDF document text
    • http://anhuishangbiao.com/upload_fck/file/2021-5-1/20210501052142370029.pdfIn PDF document text
    • https://www.infrascale.com/wp-content/plugins/super-forms/uploads/php/files/7035e26f4a18eb6297f50c0f41905c22/xuvovufivinalusoku.pdfIn PDF document text
    • http://hattrick-sports.com/wp-content/plugins/formcraft/file-upload/server/content/files/16085aace124bd---851974415.pdfIn PDF document text
    • http://www.louthadventures.ie/wp-content/plugins/formcraft/file-upload/server/content/files/1607073427f266---73975060787.pdfIn PDF document text
    • https://dgaspcsm.ro/ckfinder/userfiles/files/xenofa.pdfIn PDF document text
    • https://www.getfitcrew.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d5931ecf55---bilifezolusuberuzamer.pdfIn PDF document text
    • https://jjmassociates.com/wp-content/plugins/super-forms/uploads/php/files/661fdc4329b9f4c1161ee76a64d61aa2/fumujesa.pdfIn PDF document text
    • https://hopefor.today/wp-content/plugins/super-forms/uploads/php/files/512c55bffa88e2f51c0036457905d108/5451428615.pdfIn PDF document text
    • https://a2designbg.com/userfiles/file/zubafodezarotapawi.pdfIn PDF document text
    • https://nepalipublisher.com/ckfinder/userfiles/files/kejenerog.pdfIn PDF document text
    • https://fnb-concepts.com/images/uploads/files/veloxenomitesugovolaguw.pdfIn PDF document text
    • http://naasschoolofmotoring.ie/fckeditor/userfiles/file/dudevogu.pdfIn PDF document text
    • https://menlopark.com/wysiwygfiles/file/mimunemidelumavufafowum.pdfIn PDF document text
    • http://mirembeestate.co.ug/wp-content/plugins/formcraft/file-upload/server/content/files/1609ac28f8d65f---tapunerotojobuludipol.pdfIn PDF document text
    • https://abugfreemind.com/userfiles/file/54938972643.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015a26.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15A26 2908 bytes
SHA-256: 08482db73b035d1916e9102f0f160f6c62f163b013de05440e5e5f484acf267d
font_01_sfnt_off00016489.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16489 4888 bytes
SHA-256: 21690f8b4afe6abf409a2266953e32afeec02fd81217e11d6f0b4f1c0059ef34
font_02_sfnt_off00017552.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17552 11496 bytes
SHA-256: d5bfae652f2d94702216142121b474dc6bb0674209d57e556211564d293ac0ce