Malicious PDF — malware analysis report

Static analysis result for SHA-256 58b10eb84dce21e2…

MALICIOUS

PDF

86.0 KB Created: 2021-07-16 10:55:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: 9a3ea620a3f7e9ee7b32c77fce4be380 SHA-1: c45228353b5aaaf25ca1de378be2e9b31e6be671 SHA-256: 58b10eb84dce21e2e1c2985a46c939dcb0dcfa40fe24b97d8ef3073375a758ac
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links, many pointing to compromised WordPress sites and disposable hosting, indicating a link farm designed to redirect users. ClamAV detected this file as 'Pdf.Phishing.Trojan', and ML classifiers also flagged it as malicious. The presence of multiple external URIs and a link farm structure suggests an attempt to lure users to malicious sites, likely for phishing or to download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7924

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tomnhenryanderson.com/clients/8/8a/8a1068334c160bb49438aafe8043afff/File/51653113994.pdf In PDF document text
    • https://www.alapan.org/fckimages/file/64115539070.pdfIn PDF document text
    • https://hartwellcook.com/wp-content/plugins/super-forms/uploads/php/files/5c11e8d897396135de6f562738093106/55048903564.pdfIn PDF document text
    • http://eduomania.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bd155c5c2eb---lolud.pdfIn PDF document text
    • https://www.carlosfunes.es/wp-content/plugins/formcraft/file-upload/server/content/files/1609a1a5d8c62c---nemafisodasomelono.pdfIn PDF document text
    • https://rmissio.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160864ad1e71bc---ribakelutebode.pdfIn PDF document text
    • https://fwullong.com/upfiles/editor/files/nofobenogax.pdfIn PDF document text
    • http://prmakeup.com/Image/files/fuxinitil.pdfIn PDF document text
    • https://www.pferde-fuer-unsere-kinder.de/wp-content/plugins/formcraft/file-upload/server/content/files/160d4a22012a78---fofelununugiruniripunu.pdfIn PDF document text
    • https://akapacha.com/userfiles/file/bemezujonavepazemovawipi.pdfIn PDF document text
    • http://www.cheapmotorcycleinsurancepa.com/wp-content/plugins/super-forms/uploads/php/files/6qloqcvps7dmkttf4cbgr9obi3/4094212725.pdfIn PDF document text
    • http://andreaslasnik.com/data/files/kubawifogejemowigikutijip.pdfIn PDF document text
    • https://thinkglobalcompliance.com/ckfinder/userfiles/files/58913358753.pdfIn PDF document text
    • https://calldidocta.com/wp-content/plugins/super-forms/uploads/php/files/1fe6ea8cf9955422191eb87562f15a9c/lunujerinas.pdfIn PDF document text
    • https://www.verpoort-bouw.be/wp-content/plugins/formcraft/file-upload/server/content/files/160cb089249cd7---seritedekojo.pdfIn PDF document text
    • https://alcc.vn/wp-content/plugins/super-forms/uploads/php/files/cvhv8q68sf5ps4t4e7snue55h1/51583437352.pdfIn PDF document text
    • https://gmonlinestore.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bfb556b6315---6790983933.pdfIn PDF document text
    • http://limpiasol.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e62e8c0a08---87240292212.pdfIn PDF document text
    • http://www.jesuseslaroca.org/wp-content/plugins/formcraft/file-upload/server/content/files/1608b3a67e973a---85126181178.pdfIn PDF document text
    • https://www.finestkindcharter.com/wp-content/plugins/formcraft/file-upload/server/content/files/160746c109d47e---sagavakewejujurolu.pdfIn PDF document text
    • https://kakvkusno26.ru/wp-content/plugins/super-forms/uploads/php/files/6bab749bc2d873fdc691a6563396c5ca/mexomelizuwijikopo.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/BkSY9tpko7c/uplcv?utm_term=most+profitable+crops+stardewPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012bf0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12BF0 10728 bytes
SHA-256: e85a10df695915cc1b65cc9ffaca4c97e5d9ac284e25685d571f376ae952421e

Open this report in the interactive analyzer, or submit your own file for analysis.