Malicious PDF — malware analysis report

Static analysis result for SHA-256 5307718487366899…

MALICIOUS

PDF

68.5 KB Created: 2021-07-24 20:23:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14
MD5: 4ada0eb6450effedbc059ce92c89c092 SHA-1: 9c29720b2435b2e4dab6d437ac46981991f2fe2c SHA-256: 5307718487366899a7f92fa91665bc23ba3c2a0d20f9753603b8ef0cc596cc89
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file is identified as a PDF containing a link farm, with multiple URLs pointing to compromised WordPress sites. ClamAV detected it as Pdf.Phishing.Trojan, indicating a malicious intent to lure users to potentially harmful content. The presence of numerous links on disposable hosting and compromised CMS uploads strongly suggests a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3499

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://phonphangschool.com/upload/files/26867538975.pdf In PDF document text
    • https://tlpnw.com/wp-content/plugins/super-forms/uploads/php/files/9f04bd8e4371bf25a287acb043e1156a/91005189303.pdfIn PDF document text
    • http://fvv-hohenfelde.de/sites/default/files/files/41331338077.pdfIn PDF document text
    • http://www.consorcio.edu.pe/wp-content/plugins/formcraft/file-upload/server/content/files/160c21041be080---41245068021.pdfIn PDF document text
    • https://ebooksweb.net/files/file/9350938816.pdfIn PDF document text
    • https://www.avenueroadadvertising.com/wp-content/plugins/formcraft/file-upload/server/content/files/16070f284b9c55---95198549354.pdfIn PDF document text
    • http://abpaluso.com/upload/file/bufojexomunamewusixexanor.pdfIn PDF document text
    • https://www.peeryhotel.com/wp-content/plugins/super-forms/uploads/php/files/9fa56da6d53c26ab06c6d282e805a8b9/kerazisigunuwafo.pdfIn PDF document text
    • http://asirius.su/wp-content/plugins/super-forms/uploads/php/files/d40295cca9350db732a8479e0e54c9e1/rivazidonesokugetuziko.pdfIn PDF document text
    • http://ajivikafinance.com/userfiles/file/deneluxagunajujinivitop.pdfIn PDF document text
    • https://estoniapools.com/contents//files/41254541796.pdfIn PDF document text
    • https://www.alapan.org/fckimages/file/denam.pdfIn PDF document text
    • http://romanakladatelstvi.cz/userfiles/file/wivir.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a046f0b1f4b---darupobobex.pdfIn PDF document text
    • https://www.truesdalepainting.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608a03d0dd743---64471313884.pdfIn PDF document text
    • http://tomaszfilipczak.pl/userfiles/file/biwopo.pdfIn PDF document text
    • https://creativesilhouettes.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160cdf5c59cc11---86985096444.pdfIn PDF document text
    • http://extracam.es/app/webroot/arxius/file/25859742211.pdfIn PDF document text
    • https://renault-service.com/userfiles/58702155656.pdfIn PDF document text
    • https://www.prowallpanama.com/wp-content/plugins/super-forms/uploads/php/files/41da61af15d358908b355a7a60c2ab4e/xudadunujopezonadef.pdfIn PDF document text
    • https://torrentclub.vip/wp-content/plugins/super-forms/uploads/php/files/8agp72csfjjc6ad7munomuktcl/sarowalapebozasugomi.pdfIn PDF document text
    • http://d4sontario.ca/clients/e/ed/ed023a0734c265ca673a92d1d81de675/File/terizadama.pdfIn PDF document text
    • https://footballsod.com/images/ck-uploads/files/86299962868.pdfIn PDF document text
    • https://brokenspoke.com/wp-content/plugins/super-forms/uploads/php/files/753d01e45b65c8e991e2ef56b20a9abd/wubok.pdfIn PDF document text
    • https://kalyna.ua/sites/default/files/userfiles/file/rotupaputa.pdfIn PDF document text
    • http://qiangka.com/ckfinder/userfiles/files/lawonuvakofibumibel.pdfIn PDF document text
    • http://oletrans.sk/editor_uploads/files/miranepidulavedipiwevux.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a081306875b---42637425541.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/3CAf4wW3hvY/uplcv?utm_term=how+to+use+conair+foot+bath+with+bubbles+and+heatPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cbcf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCBCF 10888 bytes
SHA-256: a8345a57d0841234f5fbca8ebbdf793cc3059acbb1fe808e4196d8d7d9780a3e
font_01_sfnt_off0000e4f4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE4F4 15808 bytes
SHA-256: 4ac5cb8c7c7ec307ce5d0a8ba44a8fe9ca310f759f3847e86eb88c9d3cbd1d49