Malicious PDF — malware analysis report

Static analysis result for SHA-256 423d46ad20589436…

MALICIOUS

PDF

59.6 KB Created: 2021-06-10 01:53:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-27
MD5: 53958c41d95d5035e97eab31462ce3c6 SHA-1: 826ee549d15a9eee5e0406a54b765cec0a191009 SHA-256: 423d46ad205894368b9361cf07e48136d218422bec307277c3f906650297233f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains a link farm hosted on multiple compromised websites, aiming to trick users into downloading a game. The presence of external URIs and a high ML score indicate malicious intent. While no scripts were directly extracted, the PDF structure and embedded links suggest it functions as a downloader or redirector to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8151

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://philabc.ru/uplcv?utm_term=download+limbo+full+game+apk PDF link annotation
    • http://www.zulfugar.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16086eb08485ca---75087046542.pdfIn PDF document text
    • https://www.synergyheart2heart.team/wp-content/plugins/super-forms/uploads/php/files/6b8d9uecbl1ggbts0m3sbcu7c5/41294961507.pdfIn PDF document text
    • https://cullinanconstruction.com/wp-content/plugins/super-forms/uploads/php/files/r1ft2877d10n42r8kcbk32091f/58985447669.pdfIn PDF document text
    • http://fitviewer.biz/files/file/nuvajerememujekosogazofiz.pdfIn PDF document text
    • https://bringem.de/wp-content/plugins/super-forms/uploads/php/files/7a725540b59a289599e86a376d3802f3/82448223863.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609ef568dcd6a---livuzizuriresoligiva.pdfIn PDF document text
    • http://bukhatirhomes.com/userfiles/file/vavumovevixelofomof.pdfIn PDF document text
    • http://yuhongzg.com/d/files/60583787825.pdfIn PDF document text
    • https://www.emmabowman.com/wp-content/plugins/super-forms/uploads/php/files/e19e26126e23ce77db76c1880450b6f1/jujonemasitokozerawazisez.pdfIn PDF document text
    • https://uaqbakery.com/wp-content/plugins/formcraft/file-upload/server/content/files/160afd18b08d40---zakijejefuzodi.pdfIn PDF document text
    • https://phoenixknights.co.uk/wp-content/plugins/super-forms/uploads/php/files/e20790bcce5d8f9db9306ddbe955b719/takomoganidikud.pdfIn PDF document text
    • http://www.altrus.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160befb731a86d---xusofibifafugo.pdfIn PDF document text
    • https://bancodevida.com/bancodevida/admin/images/image/file/bodebajigofuxemova.pdfIn PDF document text
    • https://digireg.se/upload/mewanusuvipez.pdfIn PDF document text
    • https://bluetact.com/locktactyuma/userfiles/file/xaxodalatupedokise.pdfIn PDF document text
    • https://webmodels.studio/wp-content/plugins/formcraft/file-upload/server/content/files/160c09e1607c5c---binefixibik.pdfIn PDF document text
    • http://skup-laptopow.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ae2f766a166---12775599735.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000db53.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDB53 5384 bytes
SHA-256: 27bf531817a3a93e0bd155c67b416578c85827e90cb336397d20107970c82924