Malicious PDF — malware analysis report

Static analysis result for SHA-256 45a3dacc40678813…

MALICIOUS

PDF

62.3 KB Created: 2021-09-08 17:58:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: 7294fb4aebc0d0ed1d231e361ab89208 SHA-1: e56e2048743d8a1c7baaab27724948555cd41862 SHA-256: 45a3dacc40678813ac143870e7d782b879859c274569c92a8c42392bbad13ac7
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains numerous embedded URLs that form a link farm, directing users to various websites. Heuristics indicate these links are hosted on compromised CMS uploads and disposable domains, suggesting a phishing or malware distribution scheme. The ClamAV detection and ML classifier further support its malicious nature, likely exploiting PDF vulnerabilities to redirect users.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7193

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://smidgel.ru/uplcv?utm_term=maroon+5+maps+piano+sheet+music+pdf PDF link annotation
    • http://www.udelimpa.es/ckfinder/userfiles/files/10232797091.pdfIn PDF document text
    • https://www.golaw.net/wp-content/plugins/formcraft/file-upload/server/content/files/16133101f2d0e5---75879304399.pdfIn PDF document text
    • https://mosallaesf.ir/uploads/ck/files/80819753338.pdfIn PDF document text
    • http://shangyi-pump.com/uploads/file/042223226218.pdfIn PDF document text
    • https://dolmalatrek.com/userfiles/file/rovorazuzola.pdfIn PDF document text
    • http://arsvet.ru/img/upload/nemusegelitabawitur.pdfIn PDF document text
    • http://flex-link.cn/uploadfiles/files/dodofudixivanotelawim.pdfIn PDF document text
    • https://www.adoz.cz/ckfinder/userfiles/files/fowuduwosisotajonim.pdfIn PDF document text
    • https://fullprotec.com/ckfinder/userfiles/files/vinoremepubevabadizulodam.pdfIn PDF document text
    • https://propbrains.com/wp-content/plugins/super-forms/uploads/php/files/489dda5c934948da467fbf62bc5b26d1/polod.pdfIn PDF document text
    • https://ourlady-schools2.com/userfiles/files/7979586747.pdfIn PDF document text
    • https://stollerco.com/testingsites/advantage_aviation/assets/media/file/pipitifitulinepekojof.pdfIn PDF document text
    • http://scenekunstskolen-efteruddannelsen.dk/ckfinder/userfiles/files/soneginarajamoninopewareg.pdfIn PDF document text
    • http://ferrocom-spb.ru/userfiles/files/tufora.pdfIn PDF document text
    • http://dainindo.com/Uploads/userfiles/files/wegimujejipoxud.pdfIn PDF document text
    • http://bernardthevenet.fr/ckfinder/userfiles/files/tixagavotulawilagusodu.pdfIn PDF document text
    • http://barcabianca.eu/upload/file/dojopenagisanonof.pdfIn PDF document text
    • http://top-rubber.com/admin/fckeditor/editor/filemanager/connectors/upload/file/bawotako.pdfIn PDF document text
    • http://inistor.com/ufiles/files/9760899265.pdfIn PDF document text
    • http://burragebrothers.net/demo/jolie/beta/userfiles/files/57612417188.pdfIn PDF document text
    • http://hk-bbc.com/upload/file/5642710474.pdfIn PDF document text
    • http://osullivanspressurewashing.com/wp-content/plugins/formcraft/file-upload/server/content/files/161387fcca631c---30869991736.pdfIn PDF document text
    • http://deborahkay.com/ckfinder/userfiles/files/werilivupomimomowukod.pdfIn PDF document text
    • https://ukmalayalamnews.com/userfiles/file/40844122845.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d016.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD016 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1