Malicious PDF — malware analysis report

Static analysis result for SHA-256 4d42d8b688651680…

MALICIOUS

PDF

67.5 KB Created: 2021-09-20 05:16:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: 2621d26f688b4639d8c3f9a1245fa61b SHA-1: 9fa46f699281cbe5c6f1e03a1839177eb5ffe3bb SHA-256: 4d42d8b6886516800e076a72cc3ab35d08412a3b86b1c20b25bfae233ea98c9d
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript and numerous external URIs, many of which point to compromised CMS uploads or disposable hosting, suggesting a link farm designed to distribute malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent, likely involving phishing or malware delivery via these links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6306

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://krisoc.ru/uplcv?utm_term=the+greatest+secret+book+pdf PDF link annotation
    • https://thepainter.asia/upload/files/zujijuvepikanezivazutokig.pdfIn PDF document text
    • http://slovbau.sk/test/userfiles/file/zuwexujudid.pdfIn PDF document text
    • http://brickform.cz/obrazky/files/29372337755.pdfIn PDF document text
    • http://landonintergroup.com/ckfinder/userfiles/files/jiratepas.pdfIn PDF document text
    • http://ohappy.org/userData/board/file/domeposilimo.pdfIn PDF document text
    • http://manuale.aziendasulweb.it/userfiles/files/86557775192.pdfIn PDF document text
    • http://burelomdo.com/ckfinder/userfiles/files/xubezavejugisatodivevoliw.pdfIn PDF document text
    • http://miryangpension.com/FileData/ckfinder/files/20210920_30BB563D690F8DF2.pdfIn PDF document text
    • http://www.primalegal.eu/wp-content/plugins/super-forms/uploads/php/files/lhdvd2gnke43h4gc9lukdhrtn0/82485914609.pdfIn PDF document text
    • https://empresa-venta.hr/files/16609538530.pdfIn PDF document text
    • https://shotclock.ca/wp-content/plugins/super-forms/uploads/php/files/7ff7f3675f4dc7294a8058cecaa861d8/favemazebobusopenesop.pdfIn PDF document text
    • https://nedimgame.net/calisma2/files/uploads/jenupabukokavajebe.pdfIn PDF document text
    • http://for-rent-antwerp.com/wp-content/plugins/formcraft/file-upload/server/content/files/161367867aab9e---betewuvumuvete.pdfIn PDF document text
    • http://www.meglobalinc.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/16140fd352cfbf---501849461.pdfIn PDF document text
    • http://yishiweb.com/upfiles/files/20210906_030901.pdfIn PDF document text
    • https://sopkambing.com/contents/files/zenudasidegonub.pdfIn PDF document text
    • https://claphamjunction.com.au/wp-content/plugins/super-forms/uploads/php/files/846781d630ae38f52126dee9a0d11399/zugawet.pdfIn PDF document text
    • https://www.algeos.com/js/ckfinder/userfiles/files/volebizid.pdfIn PDF document text
    • http://klinok-saintp.ru/files/defuzap.pdfIn PDF document text
    • http://kibbkw.com/uploads/files/lefawizenaluselefejuvuba.pdfIn PDF document text
    • http://potya.com/waxiraloziwetopuzibasa.pdfIn PDF document text
    • http://telektrans.hu/editor_up/83387467400.pdfIn PDF document text
    • http://thanhnhomdinhhinh.net/uploads/files/74170839468.pdfIn PDF document text
    • http://tythb.com/uploadfile/files/93078139897.pdfIn PDF document text
    • http://vipforiraq.com/userfiles/files/pomojituto.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c72c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC72C 17828 bytes
SHA-256: cb02dc1327ef8fea2b43d8d7e4c1da2d509dc53d4591cab49203f111880e2172
font_01_sfnt_off0000f5b7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF5B7 10852 bytes
SHA-256: 42d94f8665de09037eeb02857cf0be294d67180735a0a7e0f1e1e35631ef4f9e