Malicious PDF — malware analysis report

Static analysis result for SHA-256 4c5869ebd9ea0e1d…

MALICIOUS

PDF

61.4 KB Created: 2021-06-18 13:53:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-07
MD5: f78d9b73cbb65d25d4962722c6191ce7 SHA-1: f8977e28397cf4342f5f88a532e329ffc1f20ac1 SHA-256: 4c5869ebd9ea0e1d68146280901b9c3b1bc5f5ecadcc8e7a58cc77477d5e5f90
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was identified as malicious by ML classifiers and ClamAV, indicating it likely exploits a vulnerability or serves as a phishing lure. The file contains numerous embedded URLs, many pointing to compromised WordPress sites and disposable hosting, suggesting it functions as a link farm to distribute further malicious content or phish users. The presence of PDF-specific heuristics and the ML detection strongly support a malicious intent, likely involving exploitation or phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9434

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leunamgroup.com/wp-content/plugins/super-forms/uploads/php/files/0a3fd1a4993e48d341d2ad5765ade949/niridujubelege.pdf In PDF document text
    • http://in-dapt.com/wp-content/plugins/formcraft/file-upload/server/content/files/16077b3b2277d2---41245191712.pdfIn PDF document text
    • https://fairtradeportal.pl/userfiles/file/8668961398.pdfIn PDF document text
    • https://hpx.com.ua/wp-content/plugins/super-forms/uploads/php/files/c94fcfb99640a586427571f0fd403dc5/11669028735.pdfIn PDF document text
    • https://mldom.xyz/web/img/podborky/files/logenusakotax.pdfIn PDF document text
    • http://www.melloecastro.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606cb3d9b1a1a---52394650350.pdfIn PDF document text
    • https://kis-u.com/page_data/file/20210528040046.pdfIn PDF document text
    • http://www.rebranded.tv/wp-content/plugins/formcraft/file-upload/server/content/files/1607ddfe8b7f5c---jineduxakakuzudi.pdfIn PDF document text
    • https://roeveragri.ac.in/wp-content/plugins/super-forms/uploads/php/files/f9650905c77998f8716b5392f901660d/74289075250.pdfIn PDF document text
    • http://hzdsbg.com/uploadfile/1624004005.pdfIn PDF document text
    • http://iwish-cosmetics.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ab273b69456---44424518497.pdfIn PDF document text
    • http://adaviestransportltd.com/userfiles/file/86175277135.pdfIn PDF document text
    • http://okuninka-biale.pl/userfiles/file/74617064389.pdfIn PDF document text
    • http://aeskulap24h.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c6ec35c3f52---59938786598.pdfIn PDF document text
    • https://weinquartier.at/wp-content/plugins/super-forms/uploads/php/files/ffa3c0c8bae148ac314f057fb6bc38ec/15083289437.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/PmAiG5ZyT-k/uplcv?utm_term=pokemon+mystery+dungeon+explorers+of+sky+mapPDF link annotation
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ba64.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBA64 5596 bytes
SHA-256: 17c42ab8e7f5145187cc09e542c7a74d5ecf0fc067fc921b753e06044e857625
font_01_sfnt_off0000cd74.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCD74 10576 bytes
SHA-256: e18c700d69a27d1b551513286f26516814dc27e914705507465dc85d12e4ad2e

Open this report in the interactive analyzer, or submit your own file for analysis.