Malicious PDF — malware analysis report

Static analysis result for SHA-256 57fec6980b56ad0c…

MALICIOUS

PDF

72.0 KB Created: 2021-08-18 22:01:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: ccc0384857c03005c6341378cd4259d0 SHA-1: e069247f92844a9e576efbb7de598b9a768d9636 SHA-256: 57fec6980b56ad0cd473b2aaa02665400cbb73e3437b2d98ce6997d8f1a7eacd
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains a link farm pointing to numerous URLs, many of which are hosted on compromised WordPress sites or disposable domains. This behavior is indicative of a phishing or malware distribution campaign, where users are lured to malicious sites. The ClamAV detection and ML classifier further support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9440

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.argentum.com/wp-content/plugins/super-forms/uploads/php/files/op4ib4cilq89v86suve2gsrbh5/13849933062.pdf
    • https://an-professional.ru/img/files/file/zosefujazewaverifabelavu.pdf
    • http://opalbiosciences.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b96d83e8e25---29965697170.pdf
    • http://coinmarketsuite.com/ckfinder/userfiles/files/80406092095.pdf
    • https://churchosonline.com/wp-content/plugins/super-forms/uploads/php/files/1bdf6d7f0fbfb8138761cd2114bd9ebc/pizegeko.pdf
    • http://m-s-g.ru/userfiles/files/jugojujafeduvu.pdf
    • https://harpethvalleypto.org/wp-content/plugins/super-forms/uploads/php/files/ffaf9226c1a5d1789ad81beaae7b19c5/fuvusuvafanezojuxise.pdf
    • http://szyldkj.com/luodan/images/userfiles/file/pitoz.pdf
    • https://goactive.hu/wp-content/plugins/super-forms/uploads/php/files/2d485121d2218887ac4dd68b6fee9ac5/vutevifitonolusenemojoni.pdf
    • https://autotrilogy.com/wp-content/plugins/super-forms/uploads/php/files/c018ffe2f693c573970da9f46ed631c3/sinotibatiraxo.pdf
    • https://amezdigital.com/wp-content/plugins/super-forms/uploads/php/files/06f83cdc1aef6954054517e408bc69b5/1884536199.pdf
    • http://cinstech-inspect-survey.com/fckeditor_userfiles/file/95155498840.pdf
    • http://dirabrealtors.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609a7d619dc28---40822822231.pdf
    • https://readxyz.org/wp-content/plugins/super-forms/uploads/php/files/7bc52a32b5cf5113caf38b8433ad6a32/minukugoxafubidefapugaba.pdf
    • http://gezond-trakteren.nl/kasteel-doornenburg-img/bestandenfile/wigum.pdf
    • http://lucann.com/Upload/file/62801957983.pdf
    • http://drapikowski.pl/uploaded/fck_files/file/bovudiwitewabiko.pdf
    • http://www.sandzthabapanel.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1610754e1b969a---riwipular.pdf
    • http://fabrykakonwersji.pl/wp-content/plugins/super-forms/uploads/php/files/284a9be49e9caa632c6e25de6dfa6a8c/77242172052.pdf
    • http://sovaimm.it/userfiles/files/29687986482.pdf
    • http://kcobafl.org/ckfinder/userfiles/files/71625825614.pdf
    • https://balbok.net/admin/ckfinder/userfiles/files/91041417228.pdf
    • http://www.sunaryem.com.tr/wp-content/plugins/super-forms/uploads/php/files/8i06992bmdd7kvd0kd9p6vk1u7/buvifus.pdf
    • http://chinalabware.net/d/files/muwevugarewumijasuvugun.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/DOqCt-cVA4I/uplcv?utm_term=kerala+psc+assistant+engineer+civil+irrigation+syllabus
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e253.bin
e0e2f7d305518f81b86978fe661fc9fa2bc4dbf4b8a4f47a479fd8bce7a30ef2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE253 17300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.