Malicious PDF — malware analysis report

Static analysis result for SHA-256 48d5496ec2efc7fe…

MALICIOUS

PDF

51.5 KB Created: 2021-09-02 04:50:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: 1caf324f0920aa1a412d2bfe11e17b9d SHA-1: 048adc19c1a16ca1cdbb0cd8213245fc51cfcf53 SHA-256: 48d5496ec2efc7fed963791386c4c96e5af41e2eafa8546a1caccfb135e523ee
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was flagged by multiple heuristics as malicious, including a critical ClamAV detection for Pdf.Phishing.Trojan. The file contains a link farm pointing to multiple domains, many of which are hosted on compromised CMS uploads or disposable hosting, indicating a phishing or malware distribution attempt. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7185

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://chamdure.com/DATA/files/10674408163.pdf In PDF document text
    • http://xn--80akij1ajew.xn--p1ai/wp-content/plugins/formcraft/file-upload/server/content/files/160b9953d17709---lotemubutepetu.pdfIn PDF document text
    • https://agrilaui.com/userfiles/file/67421585245.pdfIn PDF document text
    • http://ore-processing.ru/d/files/60735439589.pdfIn PDF document text
    • http://studiomanzetti.it/userfiles/files/kujipezitenereg.pdfIn PDF document text
    • https://genegurumiraclehealer.com/userfiles/file/penasodedelevejudu.pdfIn PDF document text
    • http://torgoborud.org/images/file/dexovaveg.pdfIn PDF document text
    • http://www.playerclub.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160b2957bb644c---72821757239.pdfIn PDF document text
    • https://action-roofing.com/wp-content/plugins/super-forms/uploads/php/files/d47c7c79280d46cc199942eec755d934/4475542922.pdfIn PDF document text
    • https://tecnibat.net/uploads/archivos/41171787687.pdfIn PDF document text
    • https://nutricionintraveIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/DOqCt-cVA4I/uplcv?utm_term=drink+driving+lawsPDF link annotation

Open this report in the interactive analyzer, or submit your own file for analysis.