Malicious PDF — malware analysis report

Static analysis result for SHA-256 43605dfbf1f2ddc9…

MALICIOUS

PDF

73.5 KB Created: 2021-08-29 04:51:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: c96f5c86d59b883779edaae92df26efb SHA-1: d539ea1e5fa42b599bfd6fac78932339273bdda6 SHA-256: 43605dfbf1f2ddc9f263ca8573eacb6affc91a725be54029b80afbb664bbd24a
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF was detected as malicious by ClamAV and an ML classifier, and heuristics indicate it functions as a link farm. It contains numerous URLs pointing to compromised CMS uploads and disposable domains, suggesting a phishing or malware distribution scheme. The document body is unreadable, but the overall structure and URL analysis strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6838

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mfdesign.hu/files/file/xerutenegulexesaje.pdf
    • http://amoy-art.com/Upload/file/deravezi.pdf
    • https://www.asahinadigital.com/wp-content/plugins/super-forms/uploads/php/files/6p0qcse6fp1mqrhqk9tls6pdlq/94138033176.pdf
    • https://goldenapp.net/file/jadadirikokoferofo.pdf
    • http://resumesfromabove.com/userfiles/file/sozomogibotumokoxokerin.pdf
    • http://skuplaptop.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160be1893090af---litowemujizanazumo.pdf
    • http://andreagarciam.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609c1f8e19795---rokulikujurimopita.pdf
    • http://insk.ru/img/userfiles/file/95114821135.pdf
    • http://dellalontra.it/userfiles/files/57765898366.pdf
    • http://0-50.ru/userfiles/file/vuvipipuratipabipute.pdf
    • http://www.radioemka.com/wp-content/plugins/formcraft/file-upload/server/content/files/16070fea9e199d---kobega.pdf
    • https://medicinasolidale.org/wp-content/plugins/super-forms/uploads/php/files/fe586abc08c7e28ad4940c351d1710dd/77817490478.pdf
    • http://stjconsulting.it/userfiles/files/75333407764.pdf
    • http://global-insurance-broker.de/downloads/20919921396.pdf
    • http://hellnocancershow.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609e6e2aa3157---61823777578.pdf
    • http://for-rent-aalst.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c1c33c01dd7---31787907741.pdf
    • https://transcendenceit.com/wp-content/plugins/super-forms/uploads/php/files/b6b5306b54a0a5946f62604d73463dd1/kivamewexajuxozojifozaliz.pdf
    • https://schilderlesvakantie.nl/ckfinder/userfiles/files/dinukunadegafopetuj.pdf
    • http://tranindo.com/Uploads/userfiles/files/gopimuzo.pdf
    • https://istanajpdua.com/contents//files/39374110015.pdf
    • http://extreamtuning.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160b6662150285---67506697700.pdf
    • http://dezis.ru/uploads/files/20265201911.pdf
    • https://apoiotelecom.com/imagens/img_fckeditor/file/82677471635.pdf
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c955644fefd---12564034518.pdf
    • https://cashofferoregon.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a4708606953---zosutud.pdf
    • http://www.gradur.ba/wp-content/plugins/formcraft/file-upload/server/content/files/1608b312a3fe2e---59549506643.pdf
    • https://feedproxy.google.com/~r/skout/mBVl/~3/cv9VXjIrmdE/uplcv?utm_term=the+study+of+knowledge
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e3b4.bin
a4bc12e7723aa98bb853d56c61fdb26a0970ab47bd734fbad0edd5b6dcf7a49b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE3B4 19584 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.