Malicious PDF — malware analysis report

Static analysis result for SHA-256 44800ed9690d93e2…

MALICIOUS

PDF

156.9 KB Created: 2021-05-07 09:08:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: f020ed41b4d2c3c1cff9f0f070d0f990 SHA-1: 1353facd9e55f49b6102c198493c6a2445574b25 SHA-256: 44800ed9690d93e2c0580b835e850a5ef320e0bab64c8da4ea0f53d6e1c72e12
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or malware distribution attempt. It contains numerous links to external websites, many hosted on compromised CMS platforms or disposable domains, suggesting a link farm designed to redirect users to malicious content. The document body, though heavily obfuscated, contains metadata related to wkhtmltopdf, hinting at its generation method rather than user-facing content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9411

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.uppld.org/wp-content/plugins/formcraft/file-upload/server/content/files/160852353e796b---wekuzojiwu.pdf In PDF document text
    • https://amartzon.store/wp-content/plugins/super-forms/uploads/php/files/7543a404f8f7a9e7c8859cca5e2af99f/zikefa.pdfIn PDF document text
    • http://thanhlamresort.vn/wp-content/plugins/formcraft/file-upload/server/content/files/1607baf5917917---73881569279.pdfIn PDF document text
    • https://markzone.az/wp-content/plugins/super-forms/uploads/php/files/q9jmplbk00vba4hbjuji7obqbn/73241371143.pdfIn PDF document text
    • https://sygimportaciones.com/wp-content/plugins/super-forms/uploads/php/files/huhb7344dk4fbom5vnh9gt1nm4/61956046357.pdfIn PDF document text
    • https://agrachoff.ru/wp-content/plugins/super-forms/uploads/php/files/813ffabdfcae2a2c0009688b4bb63cc6/3264179686.pdfIn PDF document text
    • https://suhrsmad.dk/wp-content/plugins/formcraft/file-upload/server/content/files/160739067ae947---43211017269.pdfIn PDF document text
    • http://www.gunyagder.org.tr/wp-content/plugins/super-forms/uploads/php/files/o9dvom1rbk0qnuu0ovfq7ed0a3/88874258469.pdfIn PDF document text
    • http://workprohealth.com/wp-content/plugins/formcraft/file-upload/server/content/files/16081362342c8a---zumeludaniduvax.pdfIn PDF document text
    • https://hcs1000.org/wp-content/plugins/super-forms/uploads/php/files/2a6b106afc4b045c6148d8b5798817e3/zetedimemifajeboxabifet.pdfIn PDF document text
    • https://theshairpodcast.com/wp-content/plugins/super-forms/uploads/php/files/7215ec7d6dd6c8a304494339ce849580/fugaxuv.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160770e8d7a32f---39955617105.pdfIn PDF document text
    • https://a2designbg.com/userfiles/file/5144543457.pdfIn PDF document text
    • http://festivaldeliteraturadepereira.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c9c842b34f---75468398037.pdfIn PDF document text
    • https://www.straightmyteeth.eu/wp-content/plugins/super-forms/uploads/php/files/5529dcad7b6c89e883683084dd40ab91/58661407283.pdfIn PDF document text
    • https://islandsvefir.is/wp-content/plugins/super-forms/uploads/php/files/r7lffp3bu43oh9589tp86mtdfl/17261239053.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/A3Ryygt5BCM/uplcv?utm_term=workbook+answers+of+hearts+and+handsPDF link annotation
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002333d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2333D 4332 bytes
SHA-256: fb1c0650d071499a5b8d2f1d434536cc566f140fec8400549f1a6006527e9a31
font_01_sfnt_off00024258.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x24258 5272 bytes
SHA-256: 12dc78ae206cc76c0a1e965655f77f4681cb778871154266a2ce6c47dd99572f