Malicious PDF — malware analysis report

Static analysis result for SHA-256 44745f93e71a4562…

MALICIOUS

PDF

85.9 KB Created: 2021-09-18 10:27:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: 51a7f1a9304a7352bc2ea201ad39dd11 SHA-1: e2401e1f1c35925565c6f8dbe7882ddb42e621c1 SHA-256: 44745f93e71a4562cafed4bcd9ff5dd25f494b6b420c37ff191afdc1264492a7
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file contains multiple links pointing to external websites, some of which are hosted on compromised CMS platforms. The ClamAV detection indicates it is a phishing trojan. The embedded links are likely used to redirect users to malicious sites for phishing or to download further malware, aligning with a spearphishing attachment attack pattern.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4958

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://garglob.ru/uplcv?utm_term=the+annunciation+1984+watch+free+online PDF link annotation
    • https://www.scmsgroup.org/ckfinder/userfiles/files/65588180169.pdfIn PDF document text
    • http://lisahyatthealth.com/wp-content/plugins/formcraft/file-upload/server/content/files/16140e8072784d---gisemukafipaken.pdfIn PDF document text
    • http://www.stallionreadymix.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/161444e1eafe78---58854653157.pdfIn PDF document text
    • http://fotocaroli.it/userfiles/files/30026010742.pdfIn PDF document text
    • http://kesherisrael.com/uploadEditor/files/gagibizid.pdfIn PDF document text
    • https://dsodrecital.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613f0b753c784---zuwezobisok.pdfIn PDF document text
    • http://jedwines.com/cmsCart/upload/file/kotunosuwalinukajiso.pdfIn PDF document text
    • https://messianic.live/wp-content/plugins/super-forms/uploads/php/files/16a06fd39d1540287ac06bfb67c15eec/4469682087.pdfIn PDF document text
    • http://vibrobreaker.com/files/files/86881001331.pdfIn PDF document text
    • https://italvaping.com/file/minomixanavenijavito.pdfIn PDF document text
    • http://sedaciesupravy.sk/media/file/44991649475.pdfIn PDF document text
    • http://gattoneva.pl/pages/userfiles/file/68099911866.pdfIn PDF document text
    • https://chicagoportablexray.com/wp-content/plugins/formcraft/file-upload/server/content/files/161372e73389d7---38225945368.pdfIn PDF document text
    • http://fapannimario.it/userfiles/files/vaxaxexaketabiw.pdfIn PDF document text
    • https://propiedades.net/ckfinder/userfiles/files/1408168069.pdfIn PDF document text
    • http://remontnoedelo.ru/wp-content/plugins/formcraft/file-upload/server/content/files/16140c85ecaa9c---34548983835.pdfIn PDF document text
    • https://www.leasing.net.in/ckfinder/userfiles/files/jozetabotomelifexupuxiwi.pdfIn PDF document text
    • http://viquadro.com/userfiles/files/76731495704.pdfIn PDF document text
    • http://hydrogears.com/survey/userfiles/files/50365423486.pdfIn PDF document text
    • http://healhumanity.foundation/userfiles/file/2732746982.pdfIn PDF document text
    • http://perfecturology.cafe24.com/upload/editor/imagefile/xikuminukumevuruvum.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010703.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10703 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off00011f15.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11F15 18048 bytes
SHA-256: 7d0d243cf5d5ddf51e4399d93e2181030d1fa9056dd117e178279cafa1cb4ba4