Malicious PDF — malware analysis report

Static analysis result for SHA-256 53ed1d9ccd222c42…

MALICIOUS

PDF

72.1 KB Created: 2021-09-23 02:54:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: d76e5a34237bbf886c03375a39a5253e SHA-1: 9362575896d3f36c9817d9b117ece1f3ba15609f SHA-256: 53ed1d9ccd222c4233a9125be8e3d857aadcccd813a804d8e44cc91dd0bb78cd
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file is identified as malicious by ClamAV and exhibits characteristics of a link farm, with numerous embedded URLs pointing to potentially compromised or disposable hosting. The heuristic PDF_SEO_DISPOSABLE_LINK_FARM indicates a non-clustered link farm on disposable hosting, and PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM suggests links to compromised WordPress upload storage. These elements strongly suggest the document is designed to redirect users to malicious sites, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4393

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://garglob.ru/uplcv?utm_term=chromatic+tuner+apk PDF link annotation
    • https://cosmopolitanhotel.eu/uploads/wysiwyg/files/18782172093.pdfIn PDF document text
    • http://www.oschouston.com/osc/wp-content/plugins/formcraft/file-upload/server/content/files/16133582f719ce---27830922700.pdfIn PDF document text
    • http://onlinepravenconsultant.com/uploads/wysiwyg/files/13171997237.pdfIn PDF document text
    • https://profitaler.com/UserFiles/file/vuferarefe.pdfIn PDF document text
    • http://cnmrobotics.com/files/files/jaroruwodokibadi.pdfIn PDF document text
    • http://moriefrusca.com/userfiles/files/37259430895.pdfIn PDF document text
    • https://songhong.info/userfiles/file/31959768703.pdfIn PDF document text
    • https://wecareprogram.org/images/file/50084186547.pdfIn PDF document text
    • http://skonasystems.com/userfiles/file/96851862999.pdfIn PDF document text
    • https://laxmigrouppune.com/wp-content/plugins/super-forms/uploads/php/files/8fb34969df6ebdf213ab87ed133e7361/pojefekuruvibuv.pdfIn PDF document text
    • http://mko-yug.ru/wp-content/plugins/super-forms/uploads/php/files/5037ca92263ddc1772ce891a7c9c8069/95410613724.pdfIn PDF document text
    • https://brakos.it/file/lelutobuzanusipesadifa.pdfIn PDF document text
    • http://vektor-bezpeki.com/userfiles/files/4111117436.pdfIn PDF document text
    • http://planbmedia.hu/files/1968712713.pdfIn PDF document text
    • https://dakotaterritorydevelopment.com/ckfinder/userfiles/files/xewexadevixapamo.pdfIn PDF document text
    • http://raduzhniy.com/wp-content/plugins/formcraft/file-upload/server/content/files/1612fd445174a5---dulaxezakajolike.pdfIn PDF document text
    • https://alixdemassy.fr/userfiles/file/54056064709.pdfIn PDF document text
    • http://starwindows.ie/ckfinder/userfiles/files/38475603286.pdfIn PDF document text
    • http://balletpanov.com/uploads/files/rusafunorosodek.pdfIn PDF document text
    • http://bancasemecanino.com/userfiles/files/kavumalufejixusefatelitu.pdfIn PDF document text
    • http://karlsbach.de/userfiles/files/nomebavelasapinixagu.pdfIn PDF document text
    • http://fs-select.com/images/blog/file/84933496962.pdfIn PDF document text
    • http://china-engine.net/ckfinder/userfiles/files/32227651092.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e131.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE131 10648 bytes
SHA-256: 148f84af6e4a2a0206b4295f9aa84b04f9ea6bc7bedeb2aafddf87a90e88fedf
font_01_sfnt_off0000f971.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF971 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1