Malicious PDF — malware analysis report

Static analysis result for SHA-256 3bc5bc2e75decba5…

MALICIOUS

PDF

76.5 KB Created: 2021-09-03 07:09:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: ffedcd2a8c9b58926e2dbeae7973ef9a SHA-1: 2456f90d572ab713cfb065ece41b4401df87208f SHA-256: 3bc5bc2e75decba50add2f90c7d851b78063653a31a1a961c28051e9cca628cf
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected as a phishing trojan by ClamAV. Static analysis revealed it functions as a link farm, containing numerous URLs pointing to various websites. Some of these URLs are hosted on compromised CMS uploads or disposable domains, indicating a potential distribution point for malicious content or phishing lures.

Machine Learning

  • Nyx PDF Classifier clean score 0.2303

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kozelsk-adm.ru/files/uploads/files/kibopisizetifepaje.pdf In PDF document text
    • http://meyergarden.com/ckfinder/userfiles/files/newopexusar.pdfIn PDF document text
    • http://woods-china.cn/ci2/userfiles/files/20210718112136.pdfIn PDF document text
    • http://stolizstekla.ru/userfiles/file/65050977100.pdfIn PDF document text
    • https://braindevelopmentmaps.org/userfiles/files/24110275113.pdfIn PDF document text
    • http://www.k-24.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c98b6dea7d---93004450096.pdfIn PDF document text
    • https://ecohort.biz/userfiles/files/lalurib.pdfIn PDF document text
    • https://perfecthospitals.com/ckfinder/userfiles/files/kipiwukosunetefer.pdfIn PDF document text
    • https://tortugafilms.ca/adminfiles/file/17593922687.pdfIn PDF document text
    • http://korea-labels.com/ckfinder/userfiles/files/jujezaxigewikoxug.pdfIn PDF document text
    • http://brixtontaxi.com/survey/userfiles/files/51830889097.pdfIn PDF document text
    • https://ags-car.com/upload/files/jeditonupomatabikidu.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609b6cad810d8---xolovekudamikujulepa.pdfIn PDF document text
    • https://sckstone.com/wp-content/plugins/super-forms/uploads/php/files/a86aa1731a058ad8f0a02241f8c5691c/xuzoputuz.pdfIn PDF document text
    • http://ecandrychow.pl/Image/files/rafavatulefezi.pdfIn PDF document text
    • http://technology-mp.it/userfiles/files/74992078904.pdfIn PDF document text
    • http://schouteninterieurwerk.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1608a901e621ae---99713959760.pdfIn PDF document text
    • http://imagespa.mx/wp-content/plugins/formcraft/file-upload/server/content/files/160866c43089bd---41049241932.pdfIn PDF document text
    • https://www.helpagesl.org/wp-content/plugins/formcraft/file-upload/server/content/files/16080d5eaa40d9---54301824102.pdfIn PDF document text
    • http://standdominica.org/files/files/23939146020.pdfIn PDF document text
    • http://imhyuk.com/imhyukeditor/userfile/file/pubotemop.pdfIn PDF document text
    • https://ruxthai-guesthouse-chiangmai.com/ckfinder/userfiles/files/xonuzageruj.pdfIn PDF document text
    • http://www.kzhep.in.ua/wp-content/plugins/super-forms/uploads/php/files/00m3d6dd2o568iqge8puv4cel4/59006988375.pdfIn PDF document text
    • http://aven.su/userfiles/file/47835202477.pdfIn PDF document text
    • http://vinhthuan.vn/upload/files/75484508044.pdfIn PDF document text
    • http://hissekurban.com/resimler/files/85859514726.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/Om9ozkHLxGw/uplcv?utm_term=libros+confucionismo+pdfPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000de31.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDE31 10540 bytes
SHA-256: 67aa9173d0c8bb2425c91bc07272ea98f1614e3bccbe5e5f451893faf390b638
font_01_sfnt_off0000f5e9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF5E9 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1