Malicious PDF — malware analysis report

Static analysis result for SHA-256 56bc9e04e67abd02…

MALICIOUS

PDF

69.2 KB Created: 2021-09-24 02:50:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-23
MD5: 4023759c3540620ccc28e23edb796f58 SHA-1: b137d3831580ec36033da9afc03198d06382d842 SHA-256: 56bc9e04e67abd0234ac99af543558f7f64be603f36da8a635de1780399bcb7f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF was flagged by ClamAV as a phishing trojan and by an ML classifier as malicious. It contains numerous links to compromised WordPress uploads and disposable hosting, suggesting it's part of a link farm designed to redirect users to malicious sites. The primary goal appears to be directing users to external, potentially compromised, URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6930

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://iamluno.com/wp-content/plugins/formcraft/file-upload/server/content/files/16139dbad8ee4e---76093518685.pdf In PDF document text
    • http://buffagiuseppeinfissi.com/userfiles/files/96369278911.pdfIn PDF document text
    • http://cga82.com/admin/File/vasavubofakurux.pdfIn PDF document text
    • http://meghdoothsuzuki.com/uploads/mevakapajeriginoweg.pdfIn PDF document text
    • https://www.taxiserviceh24.com/wp-content/plugins/formcraft/file-upload/server/content/files/1614d074a91f15---91645836929.pdfIn PDF document text
    • http://mopi.eu/ckfinder/userfiles/files/naxogelizedelarogem.pdfIn PDF document text
    • http://homelife-superstars.com/image/files/tatafezikikapiwijiz.pdfIn PDF document text
    • https://sma-dfgg.org/site/admin/file/koruzulaluloxek.pdfIn PDF document text
    • https://www.highettmetal.com.au/application/third_party/ckfinder/userfiles/files/27578905060.pdfIn PDF document text
    • https://lifesmart.ro/ckfinder/userfiles/files/gelurox.pdfIn PDF document text
    • http://vrakskodamnetice.cz/file/43667415056.pdfIn PDF document text
    • http://ykzn8.com/upfiles/editor/files/bozeru.pdfIn PDF document text
    • https://rescue.bg/wp-content/plugins/formcraft/file-upload/server/content/files/1614b3e6ed5761---vonabisotadafenin.pdfIn PDF document text
    • https://leanuslab.com/UserFiles/file/91332153423.pdfIn PDF document text
    • https://pmcp-avac.com/files/upload-ckfinder/files/jonutijevafewifazijetin.pdfIn PDF document text
    • http://archissimo.eu/userfiles/files/69554094740.pdfIn PDF document text
    • http://thevalleytrader.com/files/29481715853.pdfIn PDF document text
    • http://shinserviceodi.ru/wp-content/plugins/super-forms/uploads/php/files/bf43a9864823d16ad40260b6b63975f5/3879849154.pdfIn PDF document text
    • http://pengyou-english.com/FileData/ckfinder/files/20210919_4B84D5A9E1734144.pdfIn PDF document text
    • https://es21sys.com/userfiles/file/vuduredefumofe.pdfIn PDF document text
    • http://captaincook.hu/userfiles/file/54929899495.pdfIn PDF document text
    • http://grandioso.asia/editor_upload_image/file/95769158351.pdfIn PDF document text
    • http://about-dogs.ru/upload/file/69362328248.pdfIn PDF document text
    • http://sdtr.mdrap.ro/fckeditor/uploads/file/rojumijanapuv.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/zMnd8XtcwSM/uplcv?utm_term=farmacologia+goodman+pdfPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ce9d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCE9D 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000e6b4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE6B4 10540 bytes
SHA-256: 6c27b810b4e078e25d7607475dc73e82ed0e8ac93fa7753e79f8377c079f1b9b