Malicious PDF — malware analysis report

Static analysis result for SHA-256 53305a4d34285673…

MALICIOUS

PDF

160.6 KB Created: 2021-04-30 07:17:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-13
MD5: da49750088da19786f11823da2107172 SHA-1: efa4207ad3c60b6730674fbd7f866f0ce3e27a84 SHA-256: 53305a4d34285673ce86abafd29d2fb77c866cbc84c5ee95f0880db4b8bdac6f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a link farm pointing to compromised WordPress upload storage, suggesting it's used to distribute further malicious content or phish users. The document body, though heavily obfuscated, appears to reference product manuals, a common lure for phishing campaigns.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9411

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.mercedesbenzofaustinservice.com/wp-content/plugins/formcraft/file-upload/server/content/files/16088ffc987ced---79876026832.pdf In PDF document text
    • http://3duct.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e6a1cd6d1a---93667152767.pdfIn PDF document text
    • http://gingerwooddesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/16076cf86ba182---xarumogilofinapozoweniben.pdfIn PDF document text
    • https://www.ikedatosou.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f81f7915d5---kujukuvo.pdfIn PDF document text
    • http://www.idenet.net/wp-content/plugins/formcraft/file-upload/server/content/files/1607d4c6273b76---jiwasokenomikelafot.pdfIn PDF document text
    • https://grafitpoint.ru/wp-content/plugins/super-forms/uploads/php/files/3c505400c81e694512d29a4b2b276f92/56804900302.pdfIn PDF document text
    • http://qboardapp.com/wp-content/plugins/super-forms/uploads/php/files/32f89f3de3803e1ce02dc8ea7cce5ba3/dakumezakivuf.pdfIn PDF document text
    • http://kystop.com/wp-content/plugins/super-forms/uploads/php/files/c39cnah118ap14t06pcklb5cf6/73797564601.pdfIn PDF document text
    • https://ipcare.nl/wp-content/plugins/super-forms/uploads/php/files/rgnac5dgrqk6j639qb4gg3j0b6/97519832775.pdfIn PDF document text
    • https://themodernla.com/wp-content/plugins/super-forms/uploads/php/files/d7e503bf4f582f9ec1e5ebe3f507e67c/74971878227.pdfIn PDF document text
    • https://fieldofgreen.com/wp-content/plugins/super-forms/uploads/php/files/bdea8b97ce91aafba7015f67528611ce/duwufovitimaberawalenis.pdfIn PDF document text
    • http://andreevmag.com/wp-content/plugins/super-forms/uploads/php/files/9f76998c6b2f59042b5db5e4c927c276/29813075875.pdfIn PDF document text
    • https://ecomassage.pt/wp-content/plugins/super-forms/uploads/php/files/9r2a60p0ri6r01v18g92arb1re/65763833577.pdfIn PDF document text
    • http://ziepniekkalns.lv/wp-content/plugins/formcraft/file-upload/server/content/files/1607076a8df7e2---45080673629.pdfIn PDF document text
    • https://tecsal.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1608380fcb3ed9---jutilixapebup.pdfIn PDF document text
    • https://alismobile.co.uk/wp-content/plugins/super-forms/uploads/php/files/d0ee2c886506a38b5631ae3780a17e00/gereweze.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/BvfzZFkJO3s/uplcv?utm_term=autel+evo+manual+pdfPDF link annotation
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000233dd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x233DD 4960 bytes
SHA-256: 790e9fc65232ec81fffe82cc6c1bdd5f38dca3a843964c8ba547059d097736d5
font_01_sfnt_off000244bc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x244BC 12292 bytes
SHA-256: 73cec9a2c6ddd92c625e4b5bf424281dcdca37629516ebab7911c29d180264bc