Malicious PDF — malware analysis report

Static analysis result for SHA-256 5227f01b48bf5dc0…

MALICIOUS

PDF

71.7 KB Created: 2021-09-14 08:43:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: 3140b920e460916092fc85b9b9a45116 SHA-1: 5a5004e7345152c3f0594a0d11564cf402125d52 SHA-256: 5227f01b48bf5dc05beb5f6f48931be1dfa4def19bcf38114d6e95db40ea251b
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file is identified as a malicious PDF by ClamAV, specifically as a phishing trojan. Static analysis reveals it functions as a link farm, with numerous embedded URLs pointing to external sites. Several of these URLs are hosted on compromised CMS platforms, indicating a potential distribution or hosting strategy for malicious content.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3888

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://montpellier-businessplan.eu/mbp/upload/images/images/upload/ckfinder/tesezux.pdf In PDF document text
    • http://kondicionery-himki.ru/upload_picture/file/9898968408.pdfIn PDF document text
    • https://thietbivesinhanhhuy.com/asset/files/rizewiweduzema.pdfIn PDF document text
    • https://www.borzabadi.com/ckfinder/userfiles/files/jusilasorevuwe.pdfIn PDF document text
    • https://eccdc.org/application/webroot/userfiles/file/38701597470.pdfIn PDF document text
    • http://schouteninterieurwerk.nl/wp-content/plugins/formcraft/file-upload/server/content/files/161330e79f21b9---wisevapemu.pdfIn PDF document text
    • https://mexico-airport-transfers.com/ckfinder/userfiles/files/wemodelaxatikerenelig.pdfIn PDF document text
    • http://afro-safari.com/upload/files/voruf.pdfIn PDF document text
    • http://sichera.eu/userfiles/files/78726715633.pdfIn PDF document text
    • https://www.sevgiliyevideo.net/wp-content/plugins/formcraft/file-upload/server/content/files/161328b12ba554---99813135218.pdfIn PDF document text
    • http://www.sindafaz.com.br/admin/editor/ckfinder/userfiles/files/4679492719.pdfIn PDF document text
    • http://honyi.tw/ckfinder/userfiles/file/kilugenapunobojafi.pdfIn PDF document text
    • https://nhahangthanghuong.com/uploads/files/pojawusozalaviga.pdfIn PDF document text
    • http://cokhiminhhien.com/media/ftp/file/46280384159.pdfIn PDF document text
    • http://ats-dz.com/userfiles/file/38282962859.pdfIn PDF document text
    • http://madonnina.info/userfiles/files/26042621789.pdfIn PDF document text
    • https://sahodayabbsr.com/test/fckeditor/file/jixazotosabaxakigox.pdfIn PDF document text
    • https://gifarlcm.com/upfiles/editor/files/24596424275.pdfIn PDF document text
    • https://magicdiscoradio.hu/userfiles/file/kozuzitidozezibaxude.pdfIn PDF document text
    • https://www.cir.cloud/wp-content/plugins/formcraft/file-upload/server/content/files/1613bfc8e7d096---rawitukafe.pdfIn PDF document text
    • https://gazeta-msp.pl/user_files/File/89229502065.pdfIn PDF document text
    • http://eluvial.com/sites/all/sites/eluvial.com/files/44870913078.pdfIn PDF document text
    • http://www.zywawiara.pl/pliki/nutul.pdfIn PDF document text
    • http://spakimthi.com/upload/files/2732617643.pdfIn PDF document text
    • http://immobilieninvestors.com/userfiles/file/33151921758.pdfIn PDF document text
    • http://3dprofi.net/images/uploads/file/45728821188.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/YTWXjIUwRh0/uplcv?utm_term=printing+press+read+write+thinkPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00010b3f.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x10B3F 10684 bytes
SHA-256: 7f0b2b1afbaf41bb6368af934bda5e020cba6c42328cb9658b4ac293aa45f6bd
font_00_sfnt_off0000c7da.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC7DA 16864 bytes
SHA-256: fb1f7e795c8db3df6dac2e111821b6fde7613fb67ad1fe2aede890843db12634
font_01_sfnt_off0000f328.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF328 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.