Malicious PDF — malware analysis report

Static analysis result for SHA-256 569e152db2accc2a…

MALICIOUS

PDF

63.7 KB Created: 2021-07-16 06:45:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: 2d47ab98fc49444f1756f9b10713ab7f SHA-1: 85b0e2d915a4fce1860cf69f9bb5c463035c2116 SHA-256: 569e152db2accc2a665622e329522b66f3a5dbfaf3ca662f068cb8e90423aec4
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan threat. It contains a link farm pointing to multiple compromised WordPress upload directories, suggesting an attempt to host malicious content or redirect users to phishing sites. The presence of external URIs and a link farm heuristic further supports the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5433

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://qualitylightsolutions.com/wp-content/plugins/super-forms/uploads/php/files/be588b2637c8e3e2e71945da98350c32/37309944445.pdf In PDF document text
    • https://www.gml.de/wp-content/plugins/formcraft/file-upload/server/content/files/1606c914ea4eab---85013465462.pdfIn PDF document text
    • https://krimgranit.ru/wp-content/plugins/super-forms/uploads/php/files/7c438b3dd38df9831cd66e9196320d6e/50601665697.pdfIn PDF document text
    • http://myboydfamily.com/clients/7/7f/7f513a2250c12de81a70a6735749c289/File/98223145514.pdfIn PDF document text
    • https://growlocals.com/wp-content/plugins/super-forms/uploads/php/files/253156357ee79188c9957f967e22dc44/vopuwo.pdfIn PDF document text
    • http://grafordexstudents.com/clients/0/05/05b3dbe7dd9dc6f92b523d2b721f2ffd/File/burowovadunesiburenamimi.pdfIn PDF document text
    • http://araonline.hu/uploads/file/pizinotuxivaporadupatim.pdfIn PDF document text
    • http://julieesteban.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c96739e430---mobojoragevu.pdfIn PDF document text
    • https://gk-termopanel.ru/wp-content/plugins/super-forms/uploads/php/files/517e4e20bba18f165fa7273cfbac3a6d/83592232122.pdfIn PDF document text
    • https://afanasyev-design.ru/wp-content/plugins/super-forms/uploads/php/files/a257d933b1ecf07049a019bce3ff4b0f/nepewovutajodivamul.pdfIn PDF document text
    • https://www.haievent.com/wp-content/plugins/super-forms/uploads/php/files/42b31ouupd49892kv7pbgcf17i/nowixumiv.pdfIn PDF document text
    • http://www.biotanika.pl/upload/file/97351495854.pdfIn PDF document text
    • https://namastehealth.in/wp-content/plugins/super-forms/uploads/php/files/vv55fm74fit1kbpvhcvgdnddrq/wanukak.pdfIn PDF document text
    • https://rhdplumbing.com/wp-content/plugins/super-forms/uploads/php/files/a00c7c050d0b6f59bc2449b9e4af1feb/jopubizivatu.pdfIn PDF document text
    • https://teenvolunteer.org/wp-content/plugins/super-forms/uploads/php/files/7c1d4add446fd232ed3d8a5b795ee1a4/xujapa.pdfIn PDF document text
    • https://www.rockandroll.blog.br/wp-content/plugins/super-forms/uploads/php/files/b3uurnvsuikskndao6fg8kutk4/48718481157.pdfIn PDF document text
    • https://fceresources.com/ckfinder/userfiles/files/kenanavunogovebugo.pdfIn PDF document text
    • http://akcjonariusz.com/UserFiles/file/tuxozo.pdfIn PDF document text
    • https://www.bouwenaaneensterkwerkgeversmerk.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160b5ae9645371---xaraxe.pdfIn PDF document text
    • http://math-talk.kr/wp-content/plugins/super-forms/uploads/php/files/g9d5kq5etd9a53upfj2eh3dq04/99293443530.pdfIn PDF document text
    • https://stellabakingcompany.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c84dfdc3efb---wonij.pdfIn PDF document text
    • https://mosoptagro.ru/wp-content/plugins/super-forms/uploads/php/files/4df466259e83caf336ac9c032105f8ec/xejudofosa.pdfIn PDF document text
    • http://lyzebrno.cz/userfiles/file/62959690046.pdfIn PDF document text
    • https://glass-haus.ru/wp-content/plugins/super-forms/uploads/php/files/96522ca37039b26ab7c5372be9b539de/48741163920.pdfIn PDF document text
    • http://www.hotel-margherita.com/wp-content/plugins/formcraft/file-upload/server/content/files/16091e6d0efeae---pibemagu.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/A3Ryygt5BCM/uplcv?utm_term=check+for+convergencePDF link annotation