Malicious PDF — malware analysis report

Static analysis result for SHA-256 5187eaf96a027ebd…

MALICIOUS

PDF

49.8 KB Created: 2021-09-02 05:27:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-05
MD5: c920e40077c6f96339bd66de39ad14f0 SHA-1: f026cd0e95cc7fa43ff653a6ec77b2d7b546560e SHA-256: 5187eaf96a027ebdf3cb904e5e88fb4a7a44375f668cc1aa5270d4ba05377bae
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF contains embedded JavaScript and a large number of links, many pointing to compromised WordPress sites or disposable hosting. The ML classifier and ClamAV detection strongly indicate malicious intent, likely to redirect the user to a phishing page or download a second-stage payload. The embedded JavaScript is the primary mechanism for executing this redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8005

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://alperbehang.nl/userfiles/file/35321700159.pdf In PDF document text
    • https://susta.vn/userfiles/file/juganinejaleko.pdfIn PDF document text
    • http://xn--h1aaebajlcgx.xn--p1ai/sadm_files/42776719033.pdfIn PDF document text
    • http://aire-limpio.com/img/editor/file/90798383810.pdfIn PDF document text
    • https://universitecentrale.net/uploads/FCK_files/file/99967073698.pdfIn PDF document text
    • http://technoauto.jp/js/upload/files/86156050487.pdfIn PDF document text
    • http://ducthoaudio.com/upload/files/xilazejelarareja.pdfIn PDF document text
    • https://www.conkite.com/wp-content/plugins/super-forms/uploads/php/files/3575989e95b7ea4562ee78ecc3c96351/57837568408.pdfIn PDF document text
    • http://righetti-ticozzi.it/userfiles/files/62386779202.pdfIn PDF document text
    • https://www.sacproblemleri.com/wp-content/plugins/formcraft/file-upload/server/content/files/1611b6944b030d---97310429661.pdfIn PDF document text
    • http://xn--42-6kcdlkbomh7beggito5p.xn--p1ai/userfiles/file/3119735516.pdfIn PDF document text
    • http://studioaba.net/userfiles/files/35073805087.pdfIn PDF document text
    • http://counterreaction.net/wp-content/plugins/formcraft/file-upload/server/content/files/160c48e02953bb---punatixatinirofu.pdfIn PDF document text
    • http://uniondeautoescuelas.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608bcbb96edae---fujiso.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609e055928d4b---92036215499.pdfIn PDF document text
    • https://www.asahinafunnels.com/wp-content/plugins/super-forms/uploads/php/files/r238s7cuj7m5bjv4ubvftcosa7/gepogod.pdfIn PDF document text
    • https://hoovermaids.com/wp-content/plugins/super-forms/uploads/php/files/94ba7c1e393cda7f994a797759ddcf7f/dojuzufijoxawu.pdfIn PDF document text
    • http://dellalontra.it/userfiles/files/46951509373.pdfIn PDF document text
    • https://www.marjojaspers.nl/ckfinder/userfiles/files/12004137297.pdfIn PDF document text
    • http://tajeer.co/userfiles/file/89596886958.pdfIn PDF document text
    • http://www.opencalgary.org/wp-content/plugins/formcraft/file-upload/server/content/files/16090f120872a9---mebozewaxujapisokobus.pdfIn PDF document text
    • https://arnetbilgisayar.com/upload/ckfinder/files/mifevirawipisewamu.pdfIn PDF document text
    • https://thehamptonsbloomington.com/wp-content/plugins/formcraft/file-upload/server/content/files/160867624b687e---zokifoduwakira.pdfIn PDF document text
    • https://www.toptalentusa.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ede83d85f19---4080746623.pdfIn PDF document text
    • https://trucraftsmanship.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bdde8dec2a7---xevifaforevumijurumaf.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BvfzZFkJO3s/uplcv?utm_term=txt+and+btsPDF link annotation

Open this report in the interactive analyzer, or submit your own file for analysis.