Malicious PDF — malware analysis report

Static analysis result for SHA-256 54a4dad6707ebfd9…

MALICIOUS

PDF

65.9 KB Created: 2021-10-01 14:47:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-24
MD5: fe79241e100f74b3f830b845c8265972 SHA-1: 47e1a6035860770b5b4bb2c25340f054f3b337f5 SHA-256: 54a4dad6707ebfd9880404b96db14784b1ffd8441c912e7e23468e9ee5698945
132 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded JavaScript and multiple external URIs, indicating it is designed to redirect users to potentially malicious websites. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' and 'PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM' strongly suggest a phishing or malware distribution scheme. The embedded JavaScript likely facilitates the redirection or further payload delivery.

Machine Learning

  • Nyx PDF Classifier clean score 0.0411

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://autosoftware.company/autoresponders_images/files/664239546.pdf In PDF document text
    • https://jlgardner.org/home/jlg/public_html/ckfinder/userfiles/files/xopupaxujurovesi.pdfIn PDF document text
    • https://needlugs.com/userfiles/files/89881871633.pdfIn PDF document text
    • http://steakclubhn.com/campannas/file/58303385077.pdfIn PDF document text
    • http://rockycheng.com/ckfinder/userfiles/files/kilifawamiwov.pdfIn PDF document text
    • https://h16hr15k-h19hr37urn.com/contents/files/bokamazuvobogogidopomiz.pdfIn PDF document text
    • http://nawaress.com/webroot/js/ckfinder/userfiles/files/sezuzopubo.pdfIn PDF document text
    • https://freshchannels.com/home/sites/freshchannels/public_html/ckfinder/userfiles/files/76692915357.pdfIn PDF document text
    • http://anneadamslaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/95130412245.pdfIn PDF document text
    • https://crv.dascalita.ro/app/webroot/files/userfiles/files/38011765100.pdfIn PDF document text
    • https://brylka-kfz.de/wp-content/plugins/formcraft/file-upload/server/content/files/1613e635fc2726---71357945465.pdfIn PDF document text
    • http://www.chinahkcarplate.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613d58e2cfed5---getibarukatetewalunazeve.pdfIn PDF document text
    • https://theipbuzz.com/images/file/27352130765.pdfIn PDF document text
    • https://fiscalonline.eu/app/webroot/files/userfiles/files/wefowotadefamigepukogavu.pdfIn PDF document text
    • https://nonbodepsg.com/uploads/files/togonipivejesetugasavet.pdfIn PDF document text
    • http://adbrf.com/files/fckeditor/file/32041848361569681e7ad5.pdfIn PDF document text
    • https://servauto.fr/img/user/file/58566461420.pdfIn PDF document text
    • https://greenlakecruises.com/ckfinder/userfiles/files/41406917309.pdfIn PDF document text
    • http://bodybybodyology.com/ckfinder/userfiles/files/nikarowesoxuwidovotilavu.pdfIn PDF document text
    • https://www.euroservicemilano.it/wp-content/plugins/formcraft/file-upload/server/content/files/1612f99ef73024---7057266489.pdfIn PDF document text
    • http://fcgo.tw/uploadpic/files/96532510867.pdfIn PDF document text
    • https://km2804.com/ckupload/files/17943613176.pdfIn PDF document text
    • http://accutindustry.com/Upload/files/20210922133856.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/BvfzZFkJO3s/uplcv?utm_term=bang+mods+pubg+hackPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000adf4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xADF4 14672 bytes
SHA-256: 3e7c2f975096a5c8ec2c43d32b2a9a7faf7a694cfe89f02cb96929acab8d49f3
font_01_sfnt_off0000d2b3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD2B3 10880 bytes
SHA-256: f3abf181859ad94a15efbb54c7360087bb8da21f6c720348c347146e781058ed
font_02_sfnt_off0000eb39.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEB39 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.