Malicious PDF — malware analysis report

Static analysis result for SHA-256 463c5774f62c1855…

MALICIOUS

PDF

106.8 KB Created: 2021-06-19 12:58:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: c5e6168d76b73d1da8be1205e7ecfdc7 SHA-1: 20d56b180810712ed5568f30235d37574ac2e668 SHA-256: 463c5774f62c1855c299d825ac6e13cc6b13d8e25ebf424c47819cdad02ecf02
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing attempt. It functions as a link farm, directing users to multiple compromised WordPress sites that host further PDF files, likely as part of a multi-stage attack. The presence of embedded URLs and the nature of the heuristics suggest an attempt to lure users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7279

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.mozartcantat.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160ca1c42f02de---ripelijimezisubakogosifu.pdf In PDF document text
    • https://rffsev.ru/wp-content/plugins/super-forms/uploads/php/files/42b318e94fab88ffd89d47cca0b4b4ae/72060796666.pdfIn PDF document text
    • https://kakvkusno26.ru/wp-content/plugins/super-forms/uploads/php/files/46836710e804e2f53bc114037b35025c/12865400817.pdfIn PDF document text
    • https://formapolis.it/wp-content/plugins/super-forms/uploads/php/files/85317d15cb03d1ada5c1e278d8d4275a/85885906196.pdfIn PDF document text
    • https://fwullong.com/upfiles/editor/files/69877820241.pdfIn PDF document text
    • https://agribusiness.pk/wp-content/plugins/formcraft/file-upload/server/content/files/160aa0405371a9---jujanaduvipelunufituxelow.pdfIn PDF document text
    • https://yourlightingbrand.com/wp-content/plugins/super-forms/uploads/php/files/e75d36f5acdeac15374fa98e9fb5bd18/vazetokeda.pdfIn PDF document text
    • https://stellabakingcompany.com/wp-content/plugins/formcraft/file-upload/server/content/files/16079f3077f0b8---44616066405.pdfIn PDF document text
    • http://www.deadclan.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1606f210a18045---62076093227.pdfIn PDF document text
    • https://skazkavdom.com/wp-content/plugins/super-forms/uploads/php/files/7c175531154c389d9809ee33504a7ea2/ponobefu.pdfIn PDF document text
    • https://www.simplythebestevents.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1608b4c0374899---18845976617.pdfIn PDF document text
    • http://arniestribu.com/campannas/file/kuxuze.pdfIn PDF document text
    • https://joyfool.art/wp-content/plugins/super-forms/uploads/php/files/dc028b54ad7b71cf9e19a6e93b7d214e/fibogemi.pdfIn PDF document text
    • https://sckprime.com/wp-content/plugins/super-forms/uploads/php/files/ffb1820951c53ab025fabe5121370ea0/tubiwukodoz.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/DOqCt-cVA4I/uplcv?utm_term=wax+and+wayne+trilogyPDF link annotation
    • http://lovewhereyoulv.wpengine.com/wp-content/plugins/super-forms/uploads/php/files/7de46ec0b705fb2d66b3ee59a8e89e34/kuwojifudifijigofoginak.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017337.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17337 4880 bytes
SHA-256: b55d981e093b575f5d58974ec14df8061f7c29e89fe9c35f16cf8f46e3d2402f
font_01_sfnt_off000183f2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x183F2 10980 bytes
SHA-256: 04fc9b2e0695a8302f40ce0e0561e562e05311e486c0d9bb1d4429b76d6441aa

Open this report in the interactive analyzer, or submit your own file for analysis.