Malicious PDF — malware analysis report

Static analysis result for SHA-256 465496f4da88f031…

MALICIOUS

PDF

66.5 KB Created: 2021-07-30 13:44:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: d3e654fe6880f5d2b5525bc8956b7c65 SHA-1: 9cbb04c9748e22d2b40d353530d0d2cbb50b83bd SHA-256: 465496f4da88f03193eec9ed5d2383736b63b3b7933f1a25663a47489f2030f6
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The file contains numerous links pointing to potentially compromised websites and disposable hosting, characteristic of a link farm used for phishing or malware distribution. The presence of multiple PDF_SEO_DISPOSABLE_LINK_FARM and PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM heuristics further supports this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9491

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://rugsinc.in/UserFiles/files/zuludovag.pdf In PDF document text
    • https://www.certificagreen.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608d91ae4815b---kanokopuwolibugov.pdfIn PDF document text
    • http://shiksha24.com/userfiles/files/wodomosagavi.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bf8ebc7461f---86397019203.pdfIn PDF document text
    • https://medgarlci.com/wp-content/plugins/super-forms/uploads/php/files/b4d6f783ac7b8d873c4dd89acf5ef7d7/dividugoda.pdfIn PDF document text
    • https://forkidsvietnam.vn/wp-content/plugins/super-forms/uploads/php/files/knqc1d5gdo10abmem90o8l97nn/kukakonet.pdfIn PDF document text
    • https://bluebeakbranding.com/wp-content/plugins/super-forms/uploads/php/files/6e3c35c64b6bb854dfadf4d34f3c239a/28312488586.pdfIn PDF document text
    • http://langeline.com/ckeditor/upload/files/lonidebepafej.pdfIn PDF document text
    • http://www.k-24.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d80c5663ad---95454686204.pdfIn PDF document text
    • https://militarynetwork.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1608260463e81d---6463124435.pdfIn PDF document text
    • https://hanomanberjaya.com/contents//files/xevuniwufivifefawufobigo.pdfIn PDF document text
    • http://alarcon-v.com/editor_upload_image/file/44129560461.pdfIn PDF document text
    • http://geraldkleinlaw.com/ckfinder/userfiles/files/38105045442.pdfIn PDF document text
    • http://www.tenniscanberra.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160f88896a8e82---kuxumibufarexugi.pdfIn PDF document text
    • https://ewdel.cz/ckfinder/userfiles/files/ludikimobixixanoxus.pdfIn PDF document text
    • http://chobacgiang.net/webroot/img/files/87046875519.pdfIn PDF document text
    • https://amagi.la/wp-content/plugins/formcraft/file-upload/server/content/files/16075780ada94a---54513661756.pdfIn PDF document text
    • http://abwingssuffolk2.com/uploads/files/86034980104.pdfIn PDF document text
    • http://avandcie-energy.com/ckfinder/userfiles/files/gezito.pdfIn PDF document text
    • http://aitrans.org/UploadFile/file/F1202105271820184920.pdfIn PDF document text
    • http://makaifruits.com/wp-content/plugins/formcraft/file-upload/server/content/files/160e6881f696cb---dejamizimigipatopujesem.pdfIn PDF document text
    • http://www.movingintofreedom.com/wp-content/plugins/formcraft/file-upload/server/content/files/16079cf09c3e1b---jajej.pdfIn PDF document text
    • https://eduinfinite.com/wp-content/plugins/super-forms/uploads/php/files/2065c925c1b9c1833d02f92109c5b5c5/89716899625.pdfIn PDF document text
    • http://ha-sine.com/d/files/zamimaginanafikeror.pdfIn PDF document text
    • http://www.kidnuri.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ab8c9bf01f4---malelufaripomemomitozugix.pdfIn PDF document text
    • https://wills.sg/wp-content/plugins/super-forms/uploads/php/files/8f0f809a7f80ab37664c3c02f50f84bf/42512310161.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/zMnd8XtcwSM/uplcv?utm_term=what+is+the+purpose+of+dreams+according+to+psychoanalytic+theoryPDF link annotation