Malicious PDF — malware analysis report

Static analysis result for SHA-256 48b328f790c86f10…

MALICIOUS

PDF

66.6 KB Created: 2021-06-07 10:46:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-15
MD5: 4b45ab2491511557a676c89dcf2eee28 SHA-1: 02ae5f1a3f7d7d9a5850bd82b70b3b2120a3ddd8 SHA-256: 48b328f790c86f1003258a51e9bc4163234f32eb07bbe6a391c52927e42acfce
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous links, many pointing to compromised WordPress sites, suggesting a link farm designed to distribute malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware distribution. The embedded URLs and the heuristic findings of a link farm on disposable hosting support this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9706

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://allytemp.ru/uplcv?utm_term=how+to+make+a+slither.io+bot PDF link annotation
    • http://apexibd.com/uploads/fck_uploads/file/pasubadexononinidupuz.pdfIn PDF document text
    • https://vashadvokat82.ru/wp-content/plugins/super-forms/uploads/php/files/30c6333159eb8cf36fd640178ce00be6/81686097846.pdfIn PDF document text
    • http://parkwestresidences.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a7d4f6c9ca3---31960015329.pdfIn PDF document text
    • https://www.alongsideasia.com/wp-content/plugins/super-forms/uploads/php/files/ba3dc74e6b5ec25806e8b0f857e8f7ed/wolub.pdfIn PDF document text
    • http://www.risingstars.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1606cee6e7d626---34385774217.pdfIn PDF document text
    • http://northcity.rs/slike/files/35378222888.pdfIn PDF document text
    • http://www.contectrade.hu/fckfiles/file/75147956908.pdfIn PDF document text
    • http://leap-egypt.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608a3d2946c9e---vawogeteneni.pdfIn PDF document text
    • http://allseasonsart.com/uploads/fck_uploads/file/59347582493.pdfIn PDF document text
    • http://drinkandshrink.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16083a98a557c6---wekewuvofafoposagikamofo.pdfIn PDF document text
    • http://aberdeeneyes.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1608c66e1a3efa---ditirezuzebudixuguv.pdfIn PDF document text
    • https://www.hit-education.com/wp-content/plugins/super-forms/uploads/php/files/00bn4v2p2m79cuqs50for4r9b6/tepaxoferotulodudog.pdfIn PDF document text
    • http://phantasos.org/userfiles/file/22531710684.pdfIn PDF document text
    • http://antik-cafe-bergen.de/wp-content/plugins/formcraft/file-upload/server/content/files/16082432a2157e---591375632.pdfIn PDF document text
    • https://makemycake.gr/wp-content/plugins/super-forms/uploads/php/files/2kjhgvq6375591o9ja300nc2qh/mesusozajotinerumam.pdfIn PDF document text
    • http://wakingbeauty.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608827666c50f---71491200560.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d407.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD407 5216 bytes
SHA-256: aa5bbc1700bd09e31493e9b9008b54a55f38bc74b3505801fa245d018f3fdeb4
font_01_sfnt_off0000e5a4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE5A4 10588 bytes
SHA-256: 96fb7c28147709d601f6e6b4e6c624ccff6b08330854b32b87a766f43fb665cf