Malicious PDF — malware analysis report

Static analysis result for SHA-256 570b40765bf528a7…

MALICIOUS

PDF

117.1 KB Created: 2021-09-07 23:19:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-23
MD5: b282ce6bf16799c5af2a2692155d82f3 SHA-1: 2f545e34e424ce92bff8e31263003011a5c5b8ed SHA-256: 570b40765bf528a75a5ea21ace7c6a8eb0b80b33f723cb7c5a9ed9adfd0c745b
132 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The sample contains embedded JavaScript and numerous external links, many pointing to compromised CMS uploads or disposable hosting, indicating a phishing or malware distribution attempt. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports this assessment. The embedded JavaScript likely facilitates the redirection to these malicious URLs.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3037

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://allytemp.ru/uplcv?utm_term=isotopes+pogil+worksheet PDF link annotation
    • http://cp-1.ru/userfiles/files/pinunikelet.pdfIn PDF document text
    • http://tokyoracing.hu/userfiles/file/nomodilivoviwojugakigirur.pdfIn PDF document text
    • https://condicionamentofisico.com/arquivos/file/sijugaj.pdfIn PDF document text
    • https://uangraja.com/contents//files/lobalewo.pdfIn PDF document text
    • https://spaslask.pl/wp-content/plugins/super-forms/uploads/php/files/jl0nc3tsbqebs1v0mnmsciu4n8/zovuxavixidivakinasilulax.pdfIn PDF document text
    • https://santehsevast.ru/userfiles/files/pejusikaxomev.pdfIn PDF document text
    • http://www.unidacardoso.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160749700735cc---jaxudabikaxuwamun.pdfIn PDF document text
    • https://certifiedmoversinc.com/wp-content/plugins/super-forms/uploads/php/files/1fde449c90752f0ad3525191b7c57bca/6108850932.pdfIn PDF document text
    • https://neoville.ru/wp-content/plugins/super-forms/uploads/php/files/a5ecf2c8276e22b2bf8aea0a9871e958/64573489320.pdfIn PDF document text
    • http://prvugkh.ru/uploads/files/93834544357.pdfIn PDF document text
    • https://evg-prague.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1608003b099ec9---zinodovutufabatosizokil.pdfIn PDF document text
    • https://autotoner123.com/home/autotone/public_html/ckeditortest_WORKING/ckfinder/userfiles/files/84923934232.pdfIn PDF document text
    • http://xperion.hu/wp-content/plugins/super-forms/uploads/php/files/b3a6b0c1d38f29360d25e33a43e725d8/sibelagibikojorej.pdfIn PDF document text
    • http://www.yourhealthyourchoice.org/wp-content/plugins/formcraft/file-upload/server/content/files/160c342696d1be---fejokir.pdfIn PDF document text
    • https://paeonia.ch/userfiles/files/77886456034.pdfIn PDF document text
    • https://ladangmimpi.com/contents//files/tusupilizagoxekonilimiziz.pdfIn PDF document text
    • https://www.shamshabaddiocese.org/files/js/ckfinder/userfiles/files/66716282626.pdfIn PDF document text
    • https://www.audifonosdoshoydos.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ccc55610187---88508655649.pdfIn PDF document text
    • http://www.nuricomuvakfi.org/wp-content/plugins/super-forms/uploads/php/files/33n1mhtajk3olocq9ne067gj53/27345528012.pdfIn PDF document text
    • http://elcwma.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/10464373651.pdfIn PDF document text
    • http://adveotec.com/img/file/20832409111.pdfIn PDF document text
    • https://istanajp2.com/contents//files/96214730450.pdfIn PDF document text
    • http://ipsgroupjjn.org/userfiles/file/53820237211.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00018b41.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18B41 10392 bytes
SHA-256: 87e194a23ce17895dc72efc23ae5913d7d355eacb436c288406a16de1661e580
font_01_sfnt_off0001a2fd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A2FD 18092 bytes
SHA-256: b9fd76ab15268eae41bc0adaa94ca95c2264e12524d6445201a9b60168ad1f40