Malicious PDF — malware analysis report

Static analysis result for SHA-256 4295d356faac0af4…

MALICIOUS

PDF

76.2 KB Created: 2021-09-03 10:50:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: a6685adc6e8eac2f8d3b8f045c1b95c7 SHA-1: d463d5ef07eeee2036814907e3b61a4eaa387195 SHA-256: 4295d356faac0af42ced540ba34ab980e0bd28b1ce0c8f10b27e2862252066bb
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan threat. It contains numerous embedded URLs, many pointing to compromised WordPress sites or disposable hosting, suggesting a link farm designed to redirect users to malicious content. The presence of PDF_URI and PDF_SEO_DISPOSABLE_LINK_FARM heuristics further supports this, indicating an attempt to lure users through search engine optimization tactics. No scripts were extracted, but the overall structure and URL patterns are consistent with a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8530

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://allytemp.ru/uplcv?utm_term=finding+area+and+perimeter+of+rectangles+worksheets PDF link annotation
    • http://imdad-egypt.com/userfiles/file/rapezonirubirebod.pdfIn PDF document text
    • http://nuyewpilot.academy/wp-content/plugins/super-forms/uploads/php/files/e4cfbc0a574eec0433fea8ee42af5a9a/28000243642.pdfIn PDF document text
    • http://beiks.info/public/file/tidurera.pdfIn PDF document text
    • http://articolo17.it/siti//usr/foto/files/403271622.pdfIn PDF document text
    • http://plusbateria.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a346fc39a32---paruxevirajarunokebabo.pdfIn PDF document text
    • http://ar-intl.net/wp-content/plugins/super-forms/uploads/php/files/geh4po1a9pdpcslr9q9feeo6r5/44256179527.pdfIn PDF document text
    • https://givemeit.ru/wp-content/plugins/super-forms/uploads/php/files/9218517858b7bf06e2e53e8f78041c95/bukapibosirufo.pdfIn PDF document text
    • https://bursaceviritercume.com/wp-content/plugins/formcraft/file-upload/server/content/files/160daaab65cd4b---zezoxolu.pdfIn PDF document text
    • https://gotoko.com/cmsv2/upload/files/popudinowolomugizil.pdfIn PDF document text
    • http://ontis.sk/editor_uploads/system/files/jusuvasarekudorepake.pdfIn PDF document text
    • http://schokobrunnen.com/idata/90094295288.pdfIn PDF document text
    • http://zentrumok.com/userfile/files/mubuxe.pdfIn PDF document text
    • http://wskinbody.com/data/boardData/files/wikokorapivinegokib.pdfIn PDF document text
    • http://daeryuhealthcare.com/ckupload/files/76707984694.pdfIn PDF document text
    • http://roocenter.ru/upload/file/33233414054.pdfIn PDF document text
    • http://vilaportugal.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609a7a5162bb3---tosud.pdfIn PDF document text
    • https://www.nobleorthodontic.com/wp-content/plugins/super-forms/uploads/php/files/b3a6467831d3a183b1bc028f8cbc9328/girigiwiloni.pdfIn PDF document text
    • https://nationalcardsolutions.com/wp-content/plugins/formcraft/file-upload/server/content/files/16113395635653---pobamiruganufefasuk.pdfIn PDF document text
    • https://taevlingar.se/images/pages/file/xikofebu.pdfIn PDF document text
    • http://bassbasement.org/userfiles/file/fufiwow.pdfIn PDF document text
    • https://agribusiness.pk/wp-content/plugins/formcraft/file-upload/server/content/files/160acee8389535---lodobuvivisu.pdfIn PDF document text
    • http://anhbanglaw.com/userfiles/file/kibuk.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d517.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD517 18336 bytes
SHA-256: fac006978b9d294314f8f2686a82e0faa99663a8d4d27caf31d5b0d04af95f8c
font_01_sfnt_off000104d6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x104D6 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.