Malicious PDF — malware analysis report

Static analysis result for SHA-256 409635e64edd0922…

MALICIOUS

PDF

98.5 KB Created: 2021-08-11 17:41:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-23
MD5: cc6171d0b08ac28300bca3af6fa4f284 SHA-1: fb26b1ffe5a8acfb3af7ce79361e53c36b754dc0 SHA-256: 409635e64edd0922ecf4432b14067a4385a88964c233c2160d81cbb49ba4e2c1
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file was detected as a malicious PDF by ClamAV and an ML classifier. Static analysis revealed it functions as a link farm, containing numerous URLs pointing to compromised WordPress uploads and disposable hosting. These links likely serve as a distribution mechanism for phishing or malware, aligning with the 'Pdf.Phishing.Trojan' detection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5505

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.hotelamoha.it/wp-content/plugins/formcraft/file-upload/server/content/files/16086502cc610f---detefe.pdf In PDF document text
    • http://erkerlaender.de/wp-content/plugins/formcraft/file-upload/server/content/files/160abe54e27d78---57330187265.pdfIn PDF document text
    • https://astdubai.co/userfiles/files/12341495863.pdfIn PDF document text
    • https://www.hotel-palladium.gr/wp-content/plugins/super-forms/uploads/php/files/tb8b365a6c9dkp2ahra9qt5au6/59948107127.pdfIn PDF document text
    • http://es-umzuege-transporte.de/wp-content/plugins/super-forms/uploads/php/files/cb46bd8a0a2caa031e169d0c6022ee95/37966760919.pdfIn PDF document text
    • https://summit-christian-academy.net/scauserfiles/files/87736623019.pdfIn PDF document text
    • https://thaiwoodengames.com/files/upload/files/93662483609.pdfIn PDF document text
    • http://www.peplex.it/wp-content/plugins/formcraft/file-upload/server/content/files/1608c508d62ada---kubiraj.pdfIn PDF document text
    • http://darienhigh69.com/clients/866565/File/47047251598.pdfIn PDF document text
    • http://fine-trading-knotwork.de/uploads/media/zufonino.pdfIn PDF document text
    • https://inchiriereelicoptere.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160e39729d0b3c---zoxawevogetozekujiki.pdfIn PDF document text
    • http://originalavto.ru/userfiles/file/giviwowikovate.pdfIn PDF document text
    • https://superpart.com/files/59665502682.pdfIn PDF document text
    • https://hohsingfiber.com/ufiles/files/fuzusijebabotemuwa.pdfIn PDF document text
    • https://www.popcaffe.it/wp-content/plugins/super-forms/uploads/php/files/11630d350ee8067a9881d70e035a8055/xijujuwagedeliza.pdfIn PDF document text
    • https://medok18.ru/wp-content/plugins/super-forms/uploads/php/files/7934626b882137f342931a38511ed39d/76184268629.pdfIn PDF document text
    • https://husvagnsexpo.se/wp-content/plugins/formcraft/file-upload/server/content/files/160755c979d9ac---25243977727.pdfIn PDF document text
    • https://razvozka24.ru/wp-content/plugins/super-forms/uploads/php/files/d619f14dc3caf1f6e5327486e8ef6052/14485870228.pdfIn PDF document text
    • https://angkoronetour.com/userfiles/file/bikabefepevax.pdfIn PDF document text
    • https://ready4use.ru/uploads/files/94792923921.pdfIn PDF document text
    • https://notofthisgalaxy.com/wp-content/plugins/super-forms/uploads/php/files/b1749umtq7a71ul6okcdqeukk9/94845532640.pdfIn PDF document text
    • http://vegasoft.hr/wp-content/plugins/formcraft/file-upload/server/content/files/160c178b288d9e---60994307732.pdfIn PDF document text
    • http://nuraski.pl/wsg/userfiles/vozivudivadafatasa.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/6naE_Nh8_CY/uplcv?utm_term=logitech+g+hub+what+is+g+shiftPDF link annotation