Malicious PDF — malware analysis report

Static analysis result for SHA-256 4085bbb5eab26642…

MALICIOUS

PDF

57.1 KB Created: 2021-06-04 22:41:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: 5c977367d6c6c4be83391087e3451e0d SHA-1: c6e5d0e14a02d8382ca9af507f752493de6a2ce0 SHA-256: 4085bbb5eab266422108f4fde7837c441f385076269c06ae244f992ffa82d3ba
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document is identified as malicious by multiple heuristics and an ML classifier, with ClamAV detecting it as a phishing trojan. It contains numerous links pointing to compromised WordPress sites, suggesting a phishing or malware distribution scheme. The document's content, though heavily obfuscated, appears to be a lure for driver downloads, likely to trick users into downloading malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8773

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://philabc.ru/uplcv?utm_term=nvidia+geforce+8400m+gt+driver+download+windows+7 PDF link annotation
    • http://terapeutickemasaze.eu/wp-content/plugins/formcraft/file-upload/server/content/files/16078aa7ed09d3---nunasojow.pdfIn PDF document text
    • http://www.pirac.org/wp-content/plugins/super-forms/uploads/php/files/49df30a0eea796edb54570167039d741/foperanaziniper.pdfIn PDF document text
    • https://pinotcar.com/wp-content/plugins/super-forms/uploads/php/files/2a2bd60b3f4215b6f5c7eed8917b81c2/nidifodularalavekexaj.pdfIn PDF document text
    • http://suportti.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087a1a6b1db6---99640173056.pdfIn PDF document text
    • http://www.iamgoingto1996.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608b2b0c005f7---77543626266.pdfIn PDF document text
    • https://namastehealth.in/wp-content/plugins/super-forms/uploads/php/files/6j7kdqk8uagn15mjfec4hsb7df/34668690910.pdfIn PDF document text
    • https://www.northwoodmedical.ca/wp-content/plugins/super-forms/uploads/php/files/qdvsvoa5eqtand1j94q40a5pts/41494522810.pdfIn PDF document text
    • http://www.hptindia.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b846ea9172e---9969896923.pdfIn PDF document text
    • http://stkvn.ru/wp-content/plugins/super-forms/uploads/php/files/d2d915218f2f8476ceb013e5e35c4651/zeduxewesifetufaduvutibi.pdfIn PDF document text
    • https://www.ezhealthcheck.com/wp-content/plugins/super-forms/uploads/php/files/emku6kvepas5e4jtv5s0mhvv3n/desivozisimuxe.pdfIn PDF document text
    • http://festivaldeliteraturadepereira.com/wp-content/plugins/formcraft/file-upload/server/content/files/160813463907a9---74792158179.pdfIn PDF document text
    • http://www.moteco.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1608ae1036f9d3---nugibojozu.pdfIn PDF document text
    • http://blueyee.com/upload/file/110826329759.pdfIn PDF document text
    • http://www.cargeacrew.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1608124f1556fc---sewegusazewokijopepug.pdfIn PDF document text
    • http://aaexpansionjoint.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606fd8e3cb4a0---73500832843.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d1bb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD1BB 5752 bytes
SHA-256: a2adc10bec422cb1f1ea5d433399171018c9d3b3ed162e8f9c2bd45a5af8500a

Open this report in the interactive analyzer, or submit your own file for analysis.