Malicious PDF — malware analysis report

Static analysis result for SHA-256 473c59317bf821a2…

MALICIOUS

PDF

85.8 KB Created: 2021-09-20 08:30:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-16
MD5: fcd673160a0d0f3c6ae2928d0787840a SHA-1: 69fcd9be2185295e2877fb2cbaed1a64a6724279 SHA-256: 473c59317bf821a290f4a9aafcfe6a7fc9982373c40eafe6d3a4e1dad7d5b0be
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous embedded URLs, many of which point to compromised websites and disposable hosting, suggesting a link farm designed to redirect users to malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7871

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://blessingsngo.in/userfiles/files/53289102614.pdf In PDF document text
    • http://www.sunaryem.com.tr/wp-content/plugins/super-forms/uploads/php/files/9utg8dirrrp0687ibf5vqpunf2/11823931201.pdfIn PDF document text
    • http://chiangmai-clean.com/user_img/files/gikosilolazu.pdfIn PDF document text
    • https://oglethorpeclub.org/~oglethor/UserFiles/file/47792510586.pdfIn PDF document text
    • http://vucert.vn/uploads/files/35864929145.pdfIn PDF document text
    • https://hattshopping.com/admin/assets/images/ckfiles/31541287803.pdfIn PDF document text
    • http://vibrator4you.cz/UserFiles/File/26579238652.pdfIn PDF document text
    • http://totalfinance.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1613d22f030833---91808670687.pdfIn PDF document text
    • https://vishalahospitality.com/ckfinder/userfiles/files/rewuvojowoguxozaleripa.pdfIn PDF document text
    • https://amezdigital.com/wp-content/plugins/super-forms/uploads/php/files/d7d83ed5821b83c1e51b1e3191a2c9e4/vavizevepuwawogewubiloxa.pdfIn PDF document text
    • https://vietnaminsight.biz/ckfinder/userfiles/files/dibomuv.pdfIn PDF document text
    • http://gizmakina.com/depo/sayfaresim/file/repasugemavuxa.pdfIn PDF document text
    • http://dianacb.cz/userfiles/file/xevexorimefubu.pdfIn PDF document text
    • http://morenoroofing.com/wp-content/plugins/formcraft/file-upload/server/content/files/16140118bedf3d---luwosaranifefaza.pdfIn PDF document text
    • https://totalyoumovement.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613fb1c5894b0---bipajumadujaze.pdfIn PDF document text
    • http://www.ondebiz.com/userfiles/file/66190063938.pdfIn PDF document text
    • http://ibnuaffan.com/ckfinder/userfiles/files/tewefuwuroromazemivurofiv.pdfIn PDF document text
    • https://edusfera.pl/upload/file/wekok.pdfIn PDF document text
    • https://juniorclublivorno.com/sitonews/images_upload/files/56253361688.pdfIn PDF document text
    • https://europacreativaeuskadi.eu/files/galeria/files/46968913383.pdfIn PDF document text
    • https://bykevin.com/wp-content/plugins/super-forms/uploads/php/files/75c6cca5c6aac497eed09fbd7d722cdd/9232462132.pdfIn PDF document text
    • https://accu-split.com/userfiles/files/43061664652.pdfIn PDF document text
    • https://veterinarycarefoundation.org/userfiles/file/41234348788.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/A3Ryygt5BCM/uplcv?utm_term=english+file+beginner+test+booklet+pdfPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000120fe.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x120FE 10832 bytes
SHA-256: 23b4ed9552750bfbcdc3261657c178d6dae287684e5bb8ca69aa28b7cfdecc96

Open this report in the interactive analyzer, or submit your own file for analysis.