Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c6f2bcfac14ff47…

MALICIOUS

PDF

60.0 KB Created: 2021-09-20 04:20:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26
MD5: a6c89c7577e0c106b01a841e7128e624 SHA-1: d41f079d7c47330c19279521c1e1035fc4c701d3 SHA-256: 3c6f2bcfac14ff474741e6769541d00507ebbad271a821902202235f5a106408
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a large number of embedded URLs, many of which point to compromised or disposable hosting. The ML classifier and ClamAV detection strongly indicate malicious intent. The presence of a link farm suggests the document is designed to lure users to external sites, likely for phishing or to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8243

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://oniceh.ru/uplcv?utm_term=sports+live+tv+app+download PDF link annotation
    • https://vcvscr.cz/www/www/fckphotos/file/74970480788.pdfIn PDF document text
    • http://www.maderas-navarro.com/ckfinder/userfiles/files/molaxifov.pdfIn PDF document text
    • https://bodzlomu.com/userfiles/file/povebugedu.pdfIn PDF document text
    • http://mientaytourist.com/uploads/files/95835305075.pdfIn PDF document text
    • http://chiangmai-clean.com/user_img/files/10167088525.pdfIn PDF document text
    • http://svs-pm.com/wp-content/plugins/formcraft/file-upload/server/content/files/16144aa16230c7---jaleloxelu.pdfIn PDF document text
    • http://architettogherardi.eu/userfiles/files/tavivigebakevexu.pdfIn PDF document text
    • http://youandisagenix.com/ckfinder/userfiles/files/83066360646.pdfIn PDF document text
    • https://kayakbranson.com/wp-content/plugins/formcraft/file-upload/server/content/files/1612f5b1eeecfd---97570061303.pdfIn PDF document text
    • http://partnercable.hu/files/90184129626.pdfIn PDF document text
    • http://mayjack.com/upload/files/dafokuxitesuv.pdfIn PDF document text
    • https://interference.ajoda.eu/userfiles/files/11309771736.pdfIn PDF document text
    • http://ucinnovation.ru/admin/ckfinder/userfiles/files/17785083958.pdfIn PDF document text
    • https://thucphamtruongxanh.com/Upload/files/72847510910.pdfIn PDF document text
    • https://bloomlight.pl/_bloom/file/40970538959.pdfIn PDF document text
    • https://podimercrm.com/img/files/60751032933.pdfIn PDF document text
    • http://2rent.gr/userfiles/file/10149040333.pdfIn PDF document text
    • https://fengshan-zhennangong.org/upload/ckfinder/files/tobufojazi.pdfIn PDF document text
    • https://clubon.top/uploads/files/53043960106.pdfIn PDF document text
    • https://truonggiangcompany.com/userfiles/file/kofojojosa.pdfIn PDF document text
    • https://parisnordmedical.fr/docs/file/70842571020.pdfIn PDF document text
    • http://fotostudiovaccari.it/userfiles/files/24600114891.pdfIn PDF document text
    • https://coastalholidayproperty.com/ckfinder/userfiles/files/memusewefunenawazukivujaz.pdfIn PDF document text
    • http://www.phonefixcomo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613e72f2f2833---43270429940.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c333.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC333 16484 bytes
SHA-256: a3e6d8f38152564f4b184b7cbbd7799688066650ddfc01d7ad46e766d2e8cf4f