Malicious PDF — malware analysis report

Static analysis result for SHA-256 5b26e5e0beb86c20…

MALICIOUS

PDF

80.5 KB Created: 2021-06-20 14:21:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bbbe676cb68cc198c5871a4af8b74ed4 SHA-1: 8b5c25a1827416ad6c130fa4a1cbdf4b6ccea48c SHA-256: 5b26e5e0beb86c20331e2405f40591d446bd39128a30564a5cb1cef38d542e81
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links pointing to compromised websites and disposable hosting, indicating a link farm designed to redirect users to malicious content. The ClamAV detection and ML classifier strongly suggest this PDF is malicious, likely a phishing or malware distribution lure. No scripts were extracted, but the structure and embedded URLs are sufficient to infer malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7037

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mrmusicfoundation.org/wp-content/plugins/super-forms/uploads/php/files/0d70l83u93h9emhh2d8vforian/xotumukeritufulofixu.pdf
    • https://rebates.forex/wp-content/plugins/super-forms/uploads/php/files/c14m6j0b0g781hjj0ep1d58eo3/xasuperujaguvatura.pdf
    • http://rialta.ie/userfiles/files/38399720554.pdf
    • https://ludifrance.fr/userfiles/file/28055067911.pdf
    • https://ivaco.it/file/mezajasale.pdf
    • https://webtraffic.ch/wp-content/plugins/super-forms/uploads/php/files/f6dlc9argdj8gen415eg5f5nl4/96091469820.pdf
    • https://www.diktu.com/wp-content/plugins/formcraft/file-upload/server/content/files/160acc37c127ec---86154439853.pdf
    • https://www.uniqueartzz.com/wp-content/plugins/super-forms/uploads/php/files/lhnu4ipafgs4jem9dfgjd38k0l/69750492633.pdf
    • http://vincityhomes.vn/wp-content/plugins/super-forms/uploads/php/files/5ecfv0nrh1g2vchun539qq1rq9/10512674764.pdf
    • http://optimus.org.au/wp-content/plugins/formcraft/file-upload/server/content/files/1607beb3cd13c7---30738138581.pdf
    • http://osoboebludo.com/ckfinder/userfiles/files/gikoluwedomenagaxum.pdf
    • https://agenciaboom.com/wp-content/plugins/super-forms/uploads/php/files/u20s7edaldaitlcv5hku4mcfh5/vavategawikegugiz.pdf
    • http://hellnocancershow.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c7b749a252f---22935377339.pdf
    • https://amrapalispot.com/userfiles/file/nimusewadizepezalif.pdf
    • https://communeouchamps.fr/userfiles/file/nijoxi.pdf
    • http://matchedtubes.de/userfiles/file/71762045266.pdf
    • http://parzenica-bialka.pl/userfiles/files/xanaxifibupowenowumibi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • http://smc.org.in)MeeraRegularMeera2016SMC7.0.0+20171102Hussain
    • http://smc.org.inhttp://smc.org.in
    • https://feedproxy.google.com/~r/skout/mBVl/~3/ngfLrbzwjls/uplcv?utm_term=sreemoyee+bangla+serial+star+jalsha
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular
    • https://gitlab.com/smc/meera/blob/master/COPYING

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000db9d.bin
83bd13f99958c54ec9d6d6a95e1e0a843b04264eb7d9d981702ad9ea9f51bd46		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDB9D 5520 bytes
font_01_sfnt_off0000ee33.bin
ff14d11abb46711de68080d7bfc14a1583ab975cb52bc8c674e91085e61edeef		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE33 3256 bytes
font_02_sfnt_off0000fa7e.bin
f3efa428962e26bad54d59cd0919a680e85783b0257888929f121c1d1dd4c8ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA7E 7984 bytes
font_03_sfnt_off00011467.bin
dae0332bb0a36ff4234da6a4532f10f505eb2c8a6311ec36a16e1fd7cb6bb6ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11467 3436 bytes
font_04_sfnt_off000121d4.bin
27953bbce3e0f2e3f6f0418ab534e185769020ba96316f29017027eb83e5eef1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x121D4 10732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.