Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ab8f3745f867561…

MALICIOUS

PDF

74.8 KB Created: 2021-07-15 21:51:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: 5b12dbcbd2a6adc5afa5c6b99f35d798 SHA-1: 03ec14a92dba168a77f41782335bb9ce8896bb4c SHA-256: 4ab8f3745f867561b7b0c641bef8413c7fb903326286f35feabb543317a2b956
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous external links, with several heuristics indicating it functions as a link farm. Some links point to compromised CMS uploads and disposable hosting, suggesting a malicious intent to distribute further payloads or conduct phishing. The ML classifier and ClamAV detection strongly support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8595

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://atut-biuro.com/uploaded/file/33169391335.pdf In PDF document text
    • http://twothirdsmajority.us/clients/38522/File/10734453232.pdfIn PDF document text
    • http://droprint.my/home/ququ4923/public_html/userfiles/file/wepupukomonasud.pdfIn PDF document text
    • http://pileshoppen.dk/userfiles/file/wafixufaboponaxapowed.pdfIn PDF document text
    • http://boeschfamilytravels.com/clients/43210/File/xipebo.pdfIn PDF document text
    • https://malimbe.africa/wp-content/plugins/super-forms/uploads/php/files/f923ed20bb63a20c227fab288ad3f803/15420978227.pdfIn PDF document text
    • http://sys-svinding.dk/userfiles/file/tisimap.pdfIn PDF document text
    • http://aptchasers.com/FCKeditor/userfiles/file/wufibufigemu.pdfIn PDF document text
    • https://maxim-catering.de/wp-content/plugins/super-forms/uploads/php/files/0v4gkas8ce6mh6ert9k51427pk/20145983652.pdfIn PDF document text
    • http://totaleclipsenv.com/wp-content/plugins/formcraft/file-upload/server/content/files/160765575185c8---jutugenabosujejarudeb.pdfIn PDF document text
    • https://elitstroycraft.ru/source/file/48306201284.pdfIn PDF document text
    • https://lightspec.ca/wp-content/plugins/super-forms/uploads/php/files/6ecbf2796533326bbd879c223a6f6ea8/46270581708.pdfIn PDF document text
    • https://ccveg.org/wp-content/plugins/super-forms/uploads/php/files/g3r5qa5o98mh4d6onm0fheu63d/besolitupopojefinajivi.pdfIn PDF document text
    • https://webhostmurah.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a09be327807---vatitogunuvexugosivebu.pdfIn PDF document text
    • http://pomodorolennep.de/gfx/userfiles/files/83926210719.pdfIn PDF document text
    • http://salinahighschool1968.com/clients/3/33/33fcb9b832a528c934b1ac42c6b88a99/File/21843252579.pdfIn PDF document text
    • https://invest.pl/userfiles/file/60099409254.pdfIn PDF document text
    • http://trineckevzdelavani.cz/webpagebuilder/ckfinder/userfiles/files/74429006713.pdfIn PDF document text
    • https://saftanton.dk/wp-content/plugins/formcraft/file-upload/server/content/files/1609fe6483b5fb---rovodezorafiga.pdfIn PDF document text
    • http://timatey.kz/wp-content/plugins/super-forms/uploads/php/files/d0beoqrlbl6mntjq9elg0e4d02/1310795679.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/PmAiG5ZyT-k/uplcv?utm_term=hard+animal+trivia+questions+and+answersPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f018.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF018 10800 bytes
SHA-256: 6af4e7ffb698d197499bdc855856375dea04be72a4fa54535bec838f6524baa6

Open this report in the interactive analyzer, or submit your own file for analysis.