Malicious PDF — malware analysis report

Static analysis result for SHA-256 55afd5071ecac205…

MALICIOUS

PDF

47.7 KB Created: 2021-05-28 22:18:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: 8687b7e93f6d392fbe92814e8d4c46f3 SHA-1: f2f3e069e65eba0d3ea9d7d2701fc85e581b7798 SHA-256: 55afd5071ecac20587ce921f6acc03701e0ba047a43c7e3eb083e6be69739959
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous links to compromised WordPress upload directories, suggesting it is part of a link farm designed to host and distribute malicious files. The document body, though heavily obfuscated, appears to be a lure related to game mod installation, aiming to trick users into downloading further malware. ClamAV detection and ML classification strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7205

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://workprohealth.com/wp-content/plugins/formcraft/file-upload/server/content/files/160805278b698d---17427497374.pdf In PDF document text
    • http://www.putnamtaxi.net/wp-content/plugins/formcraft/file-upload/server/content/files/1608124519d41c---sapagafitusasobedob.pdfIn PDF document text
    • http://parkwestresidences.com/wp-content/plugins/formcraft/file-upload/server/content/files/160785162bafea---vatilipekokagajanava.pdfIn PDF document text
    • https://alenakovalchuk.ru/wp-content/plugins/super-forms/uploads/php/files/9c0d8c1ca1afdfc55e8502510e28a4e1/vesipekebibakupetulu.pdfIn PDF document text
    • http://3handseg.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a4e9144a031---38095206992.pdfIn PDF document text
    • https://www.sabiamente.es/wp-content/plugins/formcraft/file-upload/server/content/files/1608e482bae402---ganetaxoxalunuzu.pdfIn PDF document text
    • http://training-solutions.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160862c44967c8---rusaxuroj.pdfIn PDF document text
    • https://www.northamericatalk.com/wp-content/plugins/formcraft/file-upload/server/content/files/160734b056d5c9---rinasugodofolo.pdfIn PDF document text
    • https://www.kiteschule-kiel.de/wp-content/plugins/formcraft/file-upload/server/content/files/1609369e606ac0---gopibogamesedikateb.pdfIn PDF document text
    • https://www.acetechnology.co.in/wp-content/plugins/super-forms/uploads/php/files/iii4qehpehi1bh31hfb1vnu1n4/lidusagozamukafi.pdfIn PDF document text
    • https://member-amz-seller-system.de/wp-content/plugins/super-forms/uploads/php/files/b24e998d9e3f099a290632778d096505/42832759003.pdfIn PDF document text
    • https://bharatbiodiesel.com/userfiles/file/87238698925.pdfIn PDF document text
    • https://best-turbos.com/wp-content/plugins/super-forms/uploads/php/files/b0a80989658943f9a4f47f55080a92ea/vunaru.pdfIn PDF document text
    • http://texmet.pl/userimages/file/60503411881.pdfIn PDF document text
    • https://cruiseship.cruises/wp-content/plugins/super-forms/uploads/php/files/nv4nf675fhmvf7338g6jpma4mg/ripomorixuxolomejisel.pdfIn PDF document text
    • https://frennphotography.com/wp-content/plugins/formcraft/file-upload/server/content/files/160798911513d9---zedenev.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/Om9ozkHLxGw/uplcv?utm_term=how+to+install+command+and+conquer+generals+zero+hour+enhanced+modPDF link annotation

Open this report in the interactive analyzer, or submit your own file for analysis.