Malicious PDF — malware analysis report

Static analysis result for SHA-256 540117793ee7dee6…

MALICIOUS

PDF

65.6 KB Created: 2021-07-06 13:34:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: 7abfb1c137844335a543ab6dfbfd4a8f SHA-1: e5dbd1ceef7028f5899dddbc93d602dd8548c937 SHA-256: 540117793ee7dee6e58863ec94d18c5c1c9967ca59284c170b7616ab8272a8ce
144 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains numerous links to external websites, many of which are hosted on compromised WordPress installations or disposable domains, indicating a link farm designed to redirect users to malicious content. The ClamAV detection as 'Pdf.Phishing.Trojan' strongly suggests a phishing or malware distribution intent. No scripts were extracted, but the extensive use of external links points to a watering hole or phishing attack.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3605

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://inwebjor.ru/uplcv?utm_term=restore+in+hebrew+meaning PDF link annotation
    • http://beastyenergy.com/userfiles/file/perixodurozuje.pdfIn PDF document text
    • http://www.elsecretodelolivo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d9fcb2a02b2---16266187918.pdfIn PDF document text
    • https://ocvirapuato.com.mx/wp-content/plugins/super-forms/uploads/php/files/5e72ad8ad96ec407a2b41870a590a2b4/fufozotopekawov.pdfIn PDF document text
    • https://harpethvalleypto.org/wp-content/plugins/super-forms/uploads/php/files/7ddcdd95cd66a5521fe0fa748a222cb8/95297966817.pdfIn PDF document text
    • https://bikinibody.be/wp-content/plugins/super-forms/uploads/php/files/o4edo019542ic0ukct0pc52g2l/xijituze.pdfIn PDF document text
    • http://humanitool.ru/userfiles/file/7291469163.pdfIn PDF document text
    • http://thepokeluau.com/uploads/files/65419789258.pdfIn PDF document text
    • http://spoanalyze.com/wp-content/plugins/super-forms/uploads/php/files/272bdf4fbc9d13a06ea91ff95118d30f/39945860136.pdfIn PDF document text
    • http://highendschmiede.de/highendfiles/file/zaxiwalomem.pdfIn PDF document text
    • https://ptogel2.com/contents//files/sofojiwulipeduvozerubozok.pdfIn PDF document text
    • http://bjoybrands.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606fb50360a79---papexe.pdfIn PDF document text
    • http://www.uvhk.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c77d863f495---37788938854.pdfIn PDF document text
    • http://cartopack.com/Images/file/84786053774.pdfIn PDF document text
    • http://79.170.40.182/boothtastic.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606cdf2a81955---96699208341.pdfPDF link annotation
    • https://www.eziblank.com/wp-content/plugins/super-forms/uploads/php/files/ef5a0a0374d1e834cae5dd996695ea6e/24960597004.pdfIn PDF document text
    • https://engineeredrepinc.com/wp-content/plugins/super-forms/uploads/php/files/4d3bc2d89633f610a0d95d229e0740c0/zisadusobamokolupubuvum.pdfIn PDF document text
    • http://koreaseals.com/ckfinder/userfiles/files/73253603530.pdfIn PDF document text
    • http://haiphongcontest.com/images/files/rurivudurim.pdfIn PDF document text
    • https://aryaayur.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607a2a53d21fb---jofaligaxukegazajan.pdfIn PDF document text
    • https://www.alignerco.ca/wp-content/plugins/super-forms/uploads/php/files/ace92aec74b5945a6b23eeda31152a6f/rezusududugudav.pdfIn PDF document text
    • https://www.geosuiteonline.de/wp-content/plugins/formcraft/file-upload/server/content/files/160760231c7ad1---rofeb.pdfIn PDF document text
    • https://www.sgestrecho.es/wp-content/plugins/formcraft/file-upload/server/content/files/1607dc471e636e---tofavojizewer.pdfIn PDF document text
    • http://gwardiajuvenia.pl/zdjecia/fck/file/17668400063.pdfIn PDF document text
    • http://sam-global.info/files/file/64293950258.pdfIn PDF document text
    • https://alfa-pechati.ru/wp-content/plugins/super-forms/uploads/php/files/9c6efc3970d5ba15b78bedce77f001e0/dadaxigibekemerobi.pdfIn PDF document text
    • https://riverasphotovideo.com/wp-content/plugins/formcraft/file-upload/server/content/files/16092ffc44de46---tajerizomibabotipoji.pdfIn PDF document text
    • http://inspirationallabels.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1607e8a160e3fe---32547797156.pdfIn PDF document text
    • https://apsco.ly/userfiles/files/79341239655.pdfIn PDF document text