Malicious PDF — malware analysis report

Static analysis result for SHA-256 3d7a8baf0e2005a6…

MALICIOUS

PDF

73.5 KB Created: 2021-08-06 12:00:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-03
MD5: 77f08cf6d295941fbe1675c16e76f853 SHA-1: aa7ec39218d3b8b06daf66efd4a2903b22bb1411 SHA-256: 3d7a8baf0e2005a6441edd836f064fa337d4e5b0fa097c7ad9666124450de7ae
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is a PDF identified by ClamAV as 'Pdf.Phishing.Trojan'. It contains numerous embedded URLs, many pointing to compromised WordPress sites or disposable hosting, suggesting a link farm designed to lead users to malicious content. The ML classifier also flagged it as malicious. The PDF structure and embedded links are indicative of a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5251

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://houstoncoinshow.org/FCKeditor/file/99933354007.pdf In PDF document text
    • http://alvasari.com/wp-content/plugins/formcraft/file-upload/server/content/files/16105b480e88a7---54928153221.pdfIn PDF document text
    • http://dansecyr.ca/pdf/file/31500303631.pdfIn PDF document text
    • http://goldartline.ua/userfiles/file/71596024967.pdfIn PDF document text
    • https://nowackleverkusen.de/wp-content/plugins/formcraft/file-upload/server/content/files/1609b2708adbfb---zumunazolifu.pdfIn PDF document text
    • http://abwlargo.com/uploads/files/posusajovazot.pdfIn PDF document text
    • http://forter.vn/hinhanh/file/67834142892.pdfIn PDF document text
    • http://www.supercarrentalsofmiami.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087feeeea8f8---tipodakorojudasawem.pdfIn PDF document text
    • http://siciny.pl/userfiles/file/28448219350.pdfIn PDF document text
    • http://www.kissdocs.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1609a735561cdc---gadagitarokaj.pdfIn PDF document text
    • http://www.primalegal.eu/wp-content/plugins/super-forms/uploads/php/files/6kdacu4bor4ccfstu76if8o3g4/paruxa.pdfIn PDF document text
    • http://vladjurnalist.ru/archive/file/dokugofagogufupepil.pdfIn PDF document text
    • https://cvsc.co/userfiles/file/63881098822.pdfIn PDF document text
    • https://sipsib.ru/wp-content/plugins/super-forms/uploads/php/files/105763a28597eea29fca08f9f85ab791/lenedudurumi.pdfIn PDF document text
    • https://szud94.hu/img/sajatfile/files/ribaguwubulogamez.pdfIn PDF document text
    • https://primeodontorj.com/wp-content/plugins/super-forms/uploads/php/files/e51afbf7006e610cdb454facada6dd89/bodajuwuxelexa.pdfIn PDF document text
    • http://baraanduliaptti.org/userfiles/file/73425360469.pdfIn PDF document text
    • https://ventana-sur.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609fa04d93dc6.pdfIn PDF document text
    • https://whitelightdesign.com/wp-content/plugins/super-forms/uploads/php/files/41912c9fbd89705d84145f2b2a1431a7/77207334052.pdfIn PDF document text
    • http://01host.ru/userfiles/files/dowavidukuw.pdfIn PDF document text
    • http://ikkosushi.com/uploads/files/112132018.pdfIn PDF document text
    • http://cgt-fo-csc.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160b00e438450b---puwewo.pdfIn PDF document text
    • http://ildongwire.com/userfiles/file/tufuvafesoduli.pdfIn PDF document text
    • https://mmagame.com/userfiles/file/67785370536.pdfIn PDF document text
    • http://asupuro.com/user_data/image//file/89076535031.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/6naE_Nh8_CY/uplcv?utm_term=ejercicios+de+plano+cartesiano+para+imprimirPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d53b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD53B 10788 bytes
SHA-256: b8daeaec067b27b3b8e02061353f2676805b8d3de3de920fc69cd218d927f6e8
font_01_sfnt_off0000edff.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEDFF 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.