Malicious PDF — malware analysis report

Static analysis result for SHA-256 3d8d903182cc874f…

MALICIOUS

PDF

80.0 KB Created: 2021-05-25 03:06:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2f8afc9148ffd8087dc3d8d52dfd8ddc SHA-1: 457f7ab7ef03521e966f7b5767679880091912b1 SHA-256: 3d8d903182cc874f61c834f5dfa38042413b7fb2f6da500f272fd6e8b6624bb3
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous links to external websites, many hosted on compromised WordPress installations, suggesting it functions as a link farm or phishing lure. The embedded URLs and the overall structure point towards an attempt to redirect users to malicious content or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8211

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://smidgel.ru/uplcv?utm_term=abnormal+psychology+17th+edition+pdf+free
    • http://timatey.kz/wp-content/plugins/super-forms/uploads/php/files/rhqnvola4fndfn21fhs0f9mml3/98221807750.pdf
    • https://higher-reason.com/wp-content/plugins/super-forms/uploads/php/files/e2eqhk5q5pq956euo07vafl5oi/7120470901.pdf
    • http://erbilsunhotel.com/wp-content/plugins/super-forms/uploads/php/files/70g49q07n1le27c57ar2fiin93/18663452342.pdf
    • http://akgikorea.com/file_upload/fck_upfile/file/87083928842.pdf
    • http://www.myhhsi.com/wp-content/plugins/super-forms/uploads/php/files/818fe2ba3db9d8f97fb13326b23ee312/2307111682.pdf
    • https://cosalesrep.com/wp-content/plugins/super-forms/uploads/php/files/f6a0c90f04b95066b6eec32c1bb786c2/zowajenalikegufiwamudene.pdf
    • https://www.geosuiteonline.de/wp-content/plugins/formcraft/file-upload/server/content/files/16073ab82ac1ec---kavemamotilarefe.pdf
    • https://kamber.dk/wp-content/plugins/super-forms/uploads/php/files/b75a84c627ce603d594407a1b73cd4d2/75110015418.pdf
    • http://goteneplast.se/files/images/file/zaxupaguv.pdf
    • https://hcs1000.org/wp-content/plugins/super-forms/uploads/php/files/2a6b106afc4b045c6148d8b5798817e3/zetedimemifajeboxabifet.pdf
    • http://bouncebodysupplements.com/newerac2c/userfiles/file/71736596217.pdf
    • http://anandamsanyal.com/userfiles/file/dazejijinovewajexufofu.pdf
    • http://nedirajtebosnu.net/userfiles/file/78654302265.pdf
    • https://www.rydalmereprestige.com.au/wp-content/plugins/super-forms/uploads/php/files/q4bt0udb793ndngf85dbb0kmpf/29945931496.pdf
    • http://az4group.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607f38fb60b6b---tejufebixiw.pdf
    • http://snookerfootball.eu/wp-content/plugins/formcraft/file-upload/server/content/files/160a3755c17fc1---19344397886.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011f5c.bin
bfc7f89299da2bcd9c366e60624843b094f6c6249a0663cad857486fb3b2b2c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11F5C 5932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.