Malicious PDF — malware analysis report

Static analysis result for SHA-256 4374c034f3bf584c…

MALICIOUS

PDF

115.1 KB Created: 2021-06-21 10:05:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-24
MD5: 25e110a82bec3f8a1b786a7b9d74cbc5 SHA-1: 1fb50d2c7ddce67363133fc8113fddbdee9b4998 SHA-256: 4374c034f3bf584cc85c8d7deaa4161457d83b40b59a4d0234194a9443d585d9
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links to external websites, many of which are hosted on compromised WordPress sites, suggesting a phishing or malware distribution campaign. The presence of a ClamAV detection for 'Pdf.Phishing.Trojan' and ML classification further supports its malicious nature. The document body, though heavily obfuscated, appears to be a lure for 'Tuneup utilities portable 2019', indicating a social engineering tactic.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9745

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://irlanc.ru/uplcv?utm_term=tuneup+utilities+portable+2019 PDF link annotation
    • https://hps-gruppe.com/wp-content/plugins/super-forms/uploads/php/files/eccfuqg2caoutnmhh9d2in22oh/sunuxogelad.pdfIn PDF document text
    • https://hmv.ir/wp-content/plugins/formcraft/file-upload/server/content/files/1608c701394983---60529313903.pdfIn PDF document text
    • https://rhdplumbing.com/wp-content/plugins/super-forms/uploads/php/files/ada5fe3b521183164dccaf41d6e791eb/lukunanatovozuligivolexud.pdfIn PDF document text
    • http://www.elsecretodelolivo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606cc102d74d5---zadosapofepisenifiloziz.pdfIn PDF document text
    • https://expungemyrecordnj.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c3e3adba81f---93015360976.pdfIn PDF document text
    • https://bluetact.com/locktactyuma/userfiles/file/xaxodalatupedokise.pdfIn PDF document text
    • http://saamfactory.com/wp-content/plugins/super-forms/uploads/php/files/90d3aacb95b655346e8de45742787409/bakujogopejajurope.pdfIn PDF document text
    • https://www.xcelsus.de/wp-content/plugins/formcraft/file-upload/server/content/files/160c39b0bcc464---72266264096.pdfIn PDF document text
    • http://www.opencalgary.org/wp-content/plugins/formcraft/file-upload/server/content/files/1609b5a64b34be---29661796842.pdfIn PDF document text
    • https://getlovebooks.com/wp-content/plugins/super-forms/uploads/php/files/894ee5b73328655b2afaea488211551e/razozivekevizufuzupe.pdfIn PDF document text
    • http://kirks-pool.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b5cb143153f---fekugeto.pdfIn PDF document text
    • http://festivaldeliteraturadepereira.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608258a95fe54---fepekafasoxeso.pdfIn PDF document text
    • https://sportli.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/1608b55e3eab7f---tozonomozezofamosoxajaw.pdfIn PDF document text
    • https://www.democratum.com/wp-content/plugins/super-forms/uploads/php/files/c94692aa4e742852a31b1eea150a07bf/69369165642.pdfIn PDF document text
    • http://dzbnf.com/upload/file/%5C/98186051445.pdfIn PDF document text
    • https://fullhousetourism.com/UploadFiles/file/20210525025247135.pdfIn PDF document text
    • http://for-rent-antwerp.com/wp-content/plugins/formcraft/file-upload/server/content/files/160736725b8386---54992483985.pdfIn PDF document text
    • https://www.nrlandscapes.co.uk/wp-content/plugins/super-forms/uploads/php/files/63080b9e73212298f49616f977bc2ad8/pizazeguvi.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001b438.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1B438 5264 bytes
SHA-256: c08405d530728c3bf17e4b7e2f8a81593255713059797e832af8133e735bd795