Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b2e6b79799e34f5…

MALICIOUS

PDF

112.0 KB Created: 2021-07-06 04:29:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-24
MD5: 418b91687a807bae472e22672dcb1f9e SHA-1: d5ce00c4590670273a32ac99841ba6f1b7fc567a SHA-256: 4b2e6b79799e34f5a999a16c320e7e4f20c4aa61fbcc3b3fe06319ac6898cd1c
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous embedded URLs, many of which point to compromised WordPress sites or disposable hosting, indicating a link farm designed to obscure malicious destinations. ClamAV detection and ML classification confirm its malicious nature, likely serving as a lure for phishing or malware delivery. The presence of multiple external links suggests an attempt to redirect the user to a malicious site, aligning with spearphishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5511

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://marksiegeldds.com/wp-content/plugins/super-forms/uploads/php/files/5b4f12a6b0a72ecf204014425532f443/73014574042.pdf In PDF document text
    • https://luminex.pl/upload/file/10747450427.pdfIn PDF document text
    • http://applexin.com/ttpsea/files/file/39281530018.pdfIn PDF document text
    • https://signaturetowerpune.com/wp-content/plugins/super-forms/uploads/php/files/a5mi16gk7bonnddaa6vupkbgn7/26043523867.pdfIn PDF document text
    • https://autosaloncenter.com/uploads/file/67447881699.pdfIn PDF document text
    • http://fouladsazanco.com/Upload/file/piker.pdfIn PDF document text
    • http://bobmeetin.com/media/galleries/files/boxifijaluxarugumude.pdfIn PDF document text
    • http://www.jhannahs.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c584512f595---ruxugob.pdfIn PDF document text
    • http://faw-asia.com/image/upload/files/wewevilawitatu.pdfIn PDF document text
    • https://binhruamuinanobac.com/wp-content/plugins/super-forms/uploads/php/files/vblvjh8inb25lgjii9ma6cc0v1/24032524830.pdfIn PDF document text
    • http://richmore.kr/uploadfile/fckeditor/file/mabelokedomawako.pdfIn PDF document text
    • https://www.mybizwebsites.com/wp-content/plugins/formcraft/file-upload/server/content/files/160cb0c7d9549e---jewinaxejikusisudimep.pdfIn PDF document text
    • http://www.tenniscanberra.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1608e5cf478cd1---94694399200.pdfIn PDF document text
    • https://transcendenceit.com/wp-content/plugins/super-forms/uploads/php/files/d0efbc9e458ecb9eb651bb6a4f0a255c/28426969684.pdfIn PDF document text
    • https://agsposure.org/wp-content/plugins/super-forms/uploads/php/files/b92a8d26101c1c60cf6e4a79306446f0/72919179359.pdfIn PDF document text
    • https://sidexsideaudio.com/wp-content/plugins/formcraft/file-upload/server/content/files/160758e6e3d195---letoraxuwuzixin.pdfIn PDF document text
    • https://smartcirclegroup.com/userfiles/file/kerami.pdfIn PDF document text
    • http://tentauto23.ru/ckfinder/userfiles/files/dovefu.pdfIn PDF document text
    • https://nanyangtextile.com/userfiles/file/wanogaderugenamot.pdfIn PDF document text
    • http://ilturismoinitalia.it/userfiles/files/panuvoduwutitebikegizari.pdfIn PDF document text
    • https://bayardplaza.co.uk/wp-content/plugins/super-forms/uploads/php/files/st42gneab9vev5ge16umdulfu5/xuragexivajawotawalifanog.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/GLLx1DTH0VQ/uplcv?utm_term=dhikr+after+prayerPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0001977c.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1977C 26187 bytes
SHA-256: d9252e8e728931f5538cb704498a30e9f1b0c1c7d790c5c684516e0a9738f8b3
font_00_sfnt_off00014f66.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14F66 18716 bytes
SHA-256: 50b4cf598f970bde9e5debce42932de0b6bba7553cb096a9aa50b708bc9df6c1
font_01_sfnt_off0001805d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1805D 10224 bytes
SHA-256: 00e0a69cd36eeb6aa18b1390c80cbdac43875d21ad263dbec55c03fc6aba87c0