Malicious PDF — malware analysis report

Static analysis result for SHA-256 5876d539c7235d4c…

MALICIOUS

PDF

67.8 KB Created: 2021-09-04 03:32:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: d1383e082296f91a0f84ce2570bb6c38 SHA-1: 3cdc5f82cf98d7ab5f4196d2bb3b746d91edbff3 SHA-256: 5876d539c7235d4c9d1ebee91bf9c9b49d2eed3e3a8d6393cfd78b0b0ac4974d
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains numerous links pointing to compromised websites, indicating a link farm designed to redirect users. Heuristics suggest it's a phishing or malware distribution lure. The ClamAV detection and ML classifier further support its malicious nature, likely serving as an initial vector for further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7907

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gpba.ge/admin/ckeditor/ckfinder/userfiles/files/16712463775.pdf In PDF document text
    • https://ontime-taxi.kg/wp-content/plugins/super-forms/uploads/php/files/7eef6ec63fc6017ecf775e8bd9a33ec8/rabovuxoxalomu.pdfIn PDF document text
    • http://intechsol.kz/wp-content/plugins/formcraft/file-upload/server/content/files/160721d3ce12e6---rujepisigozavovotap.pdfIn PDF document text
    • http://www.moteco.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160b59048b60b4---80079205350.pdfIn PDF document text
    • http://clinicacomciencia.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160915988bdc49---sevanilotekala.pdfIn PDF document text
    • http://globalsublimation.net/uploadfile/files/zepolul.pdfIn PDF document text
    • http://uyaviation.com/wp-content/plugins/formcraft/file-upload/server/content/files/161109c2e87199---64870473392.pdfIn PDF document text
    • http://tiendanatacion.com/noticias/files/filolusek.pdfIn PDF document text
    • https://realestateconnect.biz/wp-content/plugins/super-forms/uploads/php/files/75eerqt9ri7qucn1q3qu8ppqa0/riwemedujewodanegupegas.pdfIn PDF document text
    • https://pernambucoimortal.com/imagens/files/junumidifetafidusulujiv.pdfIn PDF document text
    • http://www.gcsystem.pl/wp-content/plugins/formcraft/file-upload/server/content/files/1606cb11c4edab---76517943766.pdfIn PDF document text
    • http://uniradioweb.info/userfiles/files/tufosonimokebabimur.pdfIn PDF document text
    • http://www.psoealora.es/ckfinder/userfiles/files/4400771917.pdfIn PDF document text
    • http://princeton1959.com/clients/863834/File/31499557198.pdfIn PDF document text
    • https://pacie.vn/web/uploads/files/wejegese.pdfIn PDF document text
    • https://www.bluegreenshouseboats.in/wp-content/plugins/formcraft/file-upload/server/content/files/160a2ae862a973---64304823618.pdfIn PDF document text
    • https://www.travelticket.com.au/wp-content/plugins/super-forms/uploads/php/files/fsfbmi72i7jaobc2qk44t71rlp/6797579685.pdfIn PDF document text
    • http://niezapominajkowo.eu/userfiles/file/dugijisunenajudugur.pdfIn PDF document text
    • http://unseretochter.com/images/file/mobelavipitanejitanuwukux.pdfIn PDF document text
    • http://ieeepes-thailand.org/app/webroot/files/files/zizuduruwelajetogilebubo.pdfIn PDF document text
    • http://vitaminyplus.eu/files/file/podepivagugegivijivibi.pdfIn PDF document text
    • https://www.onestopnaturalstore.ca/wp-content/plugins/super-forms/uploads/php/files/s8c6bad7jbbijbkqifr844pmk8/102859218.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/GLLx1DTH0VQ/uplcv?utm_term=nursing+care+plan+for+anorexia+pdfPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d6f6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD6F6 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.