Malicious PDF — malware analysis report

Static analysis result for SHA-256 3da7859e8f397f82…

MALICIOUS

PDF

110.5 KB Created: 2021-08-12 03:06:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-07
MD5: c1921311a31915582feaedc65ed6bbb9 SHA-1: 16d21bb8bd778bdf00c10e5ab46a6b886357658f SHA-256: 3da7859e8f397f82ba3315ec96a29436e72f5c159619ea05604ab63b92ed4ab0
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file was detected by ClamAV as Pdf.Phishing.Trojan. The PDF contains numerous links, many of which point to compromised WordPress installations, suggesting a link farm designed to redirect users to malicious content. The presence of these links and the ClamAV detection strongly indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3906

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.kreasoft.mx/wp-content/plugins/formcraft/file-upload/server/content/files/1610412fd176d3---50247926095.pdf In PDF document text
    • http://lawcab.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1607c3cac560ce---522822473.pdfIn PDF document text
    • https://anthonygillant.com/userfiles/file/siparinobosebagofozu.pdfIn PDF document text
    • http://paintingservicesonline.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1608a3fa37cb00---81184032441.pdfIn PDF document text
    • http://www.circoloaletrium.it/wp-content/plugins/formcraft/file-upload/server/content/files/160821b078b972---39264053094.pdfIn PDF document text
    • https://outsourcedbackoffice.co.uk/wp-content/plugins/super-forms/uploads/php/files/fdd5144d5dd7c89b349ae6e0c6bbaf75/pajevokefetamepuv.pdfIn PDF document text
    • http://www.trotasierra.com/plugins/ckfinder/userfiles/files/65274354617.pdfIn PDF document text
    • https://caribemed.com/userfiles/file/48360055785.pdfIn PDF document text
    • http://www.publicitymailing.ie/wp-content/plugins/formcraft/file-upload/server/content/files/1607cfc72d9abc---giparil.pdfIn PDF document text
    • https://visaonline-vn.com/wp-content/plugins/super-forms/uploads/php/files/acedsd4vuh7ar4mgaldbjl05u6/wisivasofejipozotipema.pdfIn PDF document text
    • https://soechi.net/userfiles/file/zavupudazo.pdfIn PDF document text
    • https://mavachhaiphong.com/upload/files/totuju.pdfIn PDF document text
    • http://bendhorseride.com/userfiles/file/32252372954.pdfIn PDF document text
    • http://parejalecaros.com/adjunto/upload/fck/files/jirolipu.pdfIn PDF document text
    • http://bogaarchitetti.it/userfiles/files/zufuwovujokisi.pdfIn PDF document text
    • https://festival.bg/fckeditorfiles/file/ribupisivarevozevuzovu.pdfIn PDF document text
    • https://event-connections.net/wp-content/plugins/formcraft/file-upload/server/content/files/16077a5f34f321---15350714185.pdfIn PDF document text
    • https://allianztc.ro/files/file/53379924861.pdfIn PDF document text
    • https://gencerenerji.com/resimler/files/82085679016.pdfIn PDF document text
    • http://kezmosas.hu/files/file/8821945369.pdfIn PDF document text
    • https://mides.vn/images/ckeditor/files/87080654392.pdfIn PDF document text
    • http://klingende-zeder.de/wp-content/plugins/formcraft/file-upload/server/content/files/1609c2dab4ba89---bulatobebidekasixukawoji.pdfIn PDF document text
    • http://truthtube.com/UserFiles/file/setelotijepaforot.pdfIn PDF document text
    • http://hy-concrete.ru/d/files/29572428835.pdfIn PDF document text
    • http://www.cenlajobinator.com/siteuploads/editorimg/file/jokolut.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1KS0DP0cxss/uplcv?utm_term=examenes+sociales+6+primaria+santillana+proyecto+saber+hacerPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00016a16.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16A16 19136 bytes
SHA-256: b9c78b7b75876f647de10e861b01eb307d3691c7ffbcd67f14cc7f98e459edf4
font_01_sfnt_off00019ad0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19AD0 11148 bytes
SHA-256: 9d0e52db8815316eaf7dc66194b8b607f07418fcacb5230e0492922193546020

Open this report in the interactive analyzer, or submit your own file for analysis.