Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e7a632aa243aab6…

MALICIOUS

PDF

78.1 KB Created: 2021-09-08 03:52:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: 253ee327ab73d81aa81c929eef103af8 SHA-1: 323fd69b26937d99153bcbd8443b343080c4c291 SHA-256: 3e7a632aa243aab6a4896413d565366ffb4bc298ce28d1aaf8112c250d7df0f0
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan threat. It contains numerous links to external websites, many hosted on compromised CMS upload directories, suggesting a link farm designed to redirect users to malicious content. The presence of 'utm_term' parameters in some URLs further supports a phishing or spamming campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7162

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://weblative.com/wp-content/plugins/super-forms/uploads/php/files/3vlbgfrfd92dnrm7u5rhm0f2p3/puwexo.pdf In PDF document text
    • https://tcufroghouses.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608fe02b941f0---86039002593.pdfIn PDF document text
    • http://mextro.de/upload/files/75687509868.pdfIn PDF document text
    • http://suncitygroup.ir/basefile/suncitygroupir/files/38518050592.pdfIn PDF document text
    • http://wheatland1971.com/clients/25033/File/gesafinize.pdfIn PDF document text
    • https://mauspro.net/upload/files/tevotise.pdfIn PDF document text
    • https://www.novet.de/wp-content/plugins/formcraft/file-upload/server/content/files/160ac7ba75106b---nanunofamodu.pdfIn PDF document text
    • http://thegroverestaurantnj.com/userfiles/files/bawororeseje.pdfIn PDF document text
    • https://gift-edu.ru/wp-content/plugins/super-forms/uploads/php/files/75527b46aad0dfbe0749db076fe06e1d/78889309056.pdfIn PDF document text
    • https://dmvassociates.com/wp-content/plugins/super-forms/uploads/php/files/5139ab9980a2f5018fea876edb01fc2d/bamogasogusadojem.pdfIn PDF document text
    • http://rallyteamwalraven.nl/file/86246661979.pdfIn PDF document text
    • https://flexrocksrollovers.com/wp-content/plugins/super-forms/uploads/php/files/n9gtj0lsd0a98fk2rbhp1hde8n/83018529663.pdfIn PDF document text
    • http://dobryremont.pl/ebobas/portal/app/webroot/img/tmp/file/16205491274413.pdfIn PDF document text
    • http://philippinesroadshow.com/wp-content/plugins/super-forms/uploads/php/files/b1822a0d0ec3cdf4fb956963beff6a49/95431497681.pdfIn PDF document text
    • https://tkpmission.org/wp-content/plugins/formcraft/file-upload/server/content/files/160961fc677a28---simagazeludor.pdfIn PDF document text
    • https://elnativocoffee.com/silver/upload/files/79188226773.pdfIn PDF document text
    • http://ropesadventure.com/d/files/46691123020.pdfIn PDF document text
    • http://zawayakw.com/wp-content/plugins/formcraft/file-upload/server/content/files/160aa8aa541754---pazigafasugubama.pdfIn PDF document text
    • https://www.superioreagle.com/wp-content/plugins/formcraft/file-upload/server/content/files/16076260b39d4a---rozurinukel.pdfIn PDF document text
    • https://eminenceconstruction.ca/viking1/uploads/files/46713648925.pdfIn PDF document text
    • http://jucal.es/images/file/41544893.pdfIn PDF document text
    • https://tramtron.vn/uploads/files/files/fuvawupomeg.pdfIn PDF document text
    • https://sunridgecorp.com/uploads//files/202108070146105568.pdfIn PDF document text
    • http://www.playerclub.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160abc0905b71a---gajajamamakesojegezad.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/BvfzZFkJO3s/uplcv?utm_term=cara+convert+file+jpg+ke+pdf+offlinePDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec51.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEC51 10944 bytes
SHA-256: 74ac2935301a49abf2b2d84f6b378caee60b24922516888c70716662f43ffa1f
font_01_sfnt_off00010595.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10595 17888 bytes
SHA-256: 1c76e278e347b78cabd01c93c076b911de6964f4915cfa0492611bc71e551646