Malicious PDF — malware analysis report

Static analysis result for SHA-256 4e51910ea7af19fd…

MALICIOUS

PDF

63.7 KB Created: 2021-10-04 03:59:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-24
MD5: 3bcc5f9e1441322fda0e241b3f802a51 SHA-1: 5a3596ba79b0857d1c3cf8698ba1ad35355a6f9b SHA-256: 4e51910ea7af19fd81fe16986d340b8ab3b9c8a97c4d524951f9564f01171a78
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected by ClamAV as Pdf.Phishing.Trojan. Static analysis revealed it functions as a link farm, containing numerous URLs pointing to external sites. Several of these URLs are hosted on compromised WordPress installations, indicating a potential phishing or malware distribution scheme.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4045

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ketchas.ru/uplcv?utm_term=worksheet+on+nouns+for+class+2 PDF link annotation
    • https://diphong.com/uploads/jaginiredivuv.pdfIn PDF document text
    • https://fatheragneliti.com/wp-content/plugins/formcraft/file-upload/server/content/files/161392c1b862fe---6608167047.pdfIn PDF document text
    • http://kiuanai.com/userfiles/file/muwenu.pdfIn PDF document text
    • http://www.cuerpomenteyespiritu.es/wp-content/plugins/formcraft/file-upload/server/content/files/1614c8ae699eb2---ziravodazanumiti.pdfIn PDF document text
    • https://hanomanberjaya.com/contents/files/77859271030.pdfIn PDF document text
    • http://veronicanealhome.com/wp-content/plugins/formcraft/file-upload/server/content/files/2/16136881213df3---14346779304.pdfIn PDF document text
    • http://kondicionery-lobnya.ru/upload_picture/file/96988519353.pdfIn PDF document text
    • http://kkc1.org/htdocs/cljr/data/files/netupinaziwu.pdfIn PDF document text
    • https://spitalmoldovanoua.ro/ckfinder/userfiles/files/dupovibe.pdfIn PDF document text
    • https://sharenkon.com/files/jimifigazefizovexifotu.pdfIn PDF document text
    • http://rapabzenec.cz/obrazky/files/32407091413.pdfIn PDF document text
    • http://tzsunup.com/upload/kagobinusisopada.pdfIn PDF document text
    • https://rcvizovice.cz/ckfinder/userfiles/files/44240957045.pdfIn PDF document text
    • https://eqonetech.com/upload/userfiles/files/92792862612.pdfIn PDF document text
    • https://movie2book.com/userfiles/file/dobijusebaw.pdfIn PDF document text
    • http://maymaygiaydachidang.com/upload/files/jilejog.pdfIn PDF document text
    • https://rallstarawards.us/nbloom/fckuploads/file/28125183132.pdfIn PDF document text
    • https://migger.dk/userimages/file/bumidirekiruv.pdfIn PDF document text
    • https://dhins.com/testingsites/advantage_aviation/assets/media/file/34754515632.pdfIn PDF document text
    • http://hcstonetw.com/uploads/files/202109031525491947.pdfIn PDF document text
    • http://baove24h.info/upload/files/tuwibafu.pdfIn PDF document text
    • https://8foro.exceltur.org/exceltur_nuevo/ckfinder/userfiles/files/seburajefevojivijoba.pdfIn PDF document text
    • https://dubigroup.com/admin/fckeditor/editor/filemanager/connectors/upload/file/79427885345.pdfIn PDF document text
    • http://cheliabinsk.realxenon.ru/uploads/files/teravegogajak.pdfIn PDF document text
    • http://romanakladatelstvi.cz/userfiles/file/65302634907.pdfIn PDF document text
    • http://sportsbettingconsultants.net/cote_dor_import/admin/ckfinder/userfiles/files/zilezal.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b113.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB113 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000c92a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC92A 10644 bytes
SHA-256: cac99749ef835e6e2a06be1130cb2cbb1294c8f12123cf42d33352aa499473ba

Open this report in the interactive analyzer, or submit your own file for analysis.