Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ecf2abbbb0d8cab…

MALICIOUS

PDF

127.7 KB Created: 2021-05-27 14:48:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-17
MD5: d77265b4351ade7bce35a4145ef0c7d2 SHA-1: 34dc9805b5bec9db7e223afd95477e87001310f9 SHA-256: 4ecf2abbbb0d8cab3a28ad4e845ba31c6f9a598ca8a63358107a25c18c3810d0
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier. It contains numerous external links, many pointing to compromised WordPress sites, suggesting it functions as a link farm. The document body, though heavily obfuscated, contains references to 'wkhtmltopdf' and 'Qt', indicating it was likely generated programmatically. The presence of multiple distinct hosts and UTM parameters in the URLs suggests an attempt to distribute traffic or track user interactions, common in phishing or malware distribution schemes.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7735

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://infrive.ru/uplcv?utm_term=instagram+name+font+style+for+boy+attitude PDF link annotation
    • http://goref.ru/files/file/89227108867.pdfIn PDF document text
    • https://k2salight.com/wp-content/plugins/super-forms/uploads/php/files/b36148cc6d5477c367faf1e8a6c201d5/57175251816.pdfIn PDF document text
    • http://www.timtransportes.com/home/wp-content/plugins/formcraft/file-upload/server/content/files/160793ce99183b---bonuvemewod.pdfIn PDF document text
    • https://www.lorenzofranzone.it/wp-content/plugins/super-forms/uploads/php/files/5bf423e8e71b4389ab1c25a47fac6e74/17924484695.pdfIn PDF document text
    • https://alsterparkett.de/wp-content/plugins/super-forms/uploads/php/files/512q7v41kfmnhhg8fiv1iqv83i/61480366074.pdfIn PDF document text
    • https://www.lightingdynamics.com/wp-content/plugins/super-forms/uploads/php/files/dcf31eb698d942dbbdd5c99c85706f0c/75487214375.pdfIn PDF document text
    • http://www.vitrierbxl.be/wp-content/plugins/formcraft/file-upload/server/content/files/16079df662504b---2122614996.pdfIn PDF document text
    • http://www.anieliasfx.com/uploads/textareas/file/56764379310.pdfIn PDF document text
    • http://bscartridge.com/pic/xosizixagijebolatubejelu.pdfIn PDF document text
    • https://howardsteeves.com/wp-content/plugins/super-forms/uploads/php/files/3a91c9e889d7cd0795c8c82af8da29ec/81000293261.pdfIn PDF document text
    • https://www.freshstartdigitalmarketing.com/wp-content/plugins/super-forms/uploads/php/files/cc5573a0ba6d5f60dbec9a211895746e/33177049113.pdfIn PDF document text
    • https://massagetheory.ca/wp-content/plugins/super-forms/uploads/php/files/26d63ff4f55914abc31a57fa0665518b/wupasorepi.pdfIn PDF document text
    • https://www.energetisch-therapeut-estie.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1607eb670d9696---68683069216.pdfIn PDF document text
    • http://www.1atlanticfunding.com/wp-content/plugins/formcraft/file-upload/server/content/files/160abb090a29af---vofuravitarumu.pdfIn PDF document text
    • http://asckhn.com/acskhn/userfiles/file/bavatalotulagirobumose.pdfIn PDF document text
    • https://afriqueitnews.com/wp-content/plugins/super-forms/uploads/php/files/d2f8b25d0d3e6e824814bbaf6451953c/74480068424.pdfIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001aa7d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1AA7D 8692 bytes
SHA-256: beb34e421b13ef13c5f40f1dd08de25ab111743cc9cdb6b93c7639b1b390c997
font_01_sfnt_off0001c2d0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1C2D0 2572 bytes
SHA-256: a266c491f4931368510dae9bd4cf4b58734b51aa8192ea38aee5fe523c195c0e

Open this report in the interactive analyzer, or submit your own file for analysis.