Malicious PDF — malware analysis report

Static analysis result for SHA-256 5d45207107950cc0…

MALICIOUS

PDF

65.2 KB Created: 2021-05-22 06:07:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e68a669f472d4cad508422325de5100d SHA-1: 8e434dc2a0a2d8434c83db6b5af5236f6a235465 SHA-256: 5d45207107950cc0adce2be3e268e2adb1a0ea461aed5f8c190ce55566cdb407
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document is identified as malicious by ML classifiers and ClamAV, indicating it's a phishing or trojan delivery mechanism. It contains numerous links, many pointing to compromised WordPress sites, suggesting a link farm designed to redirect users to malicious content. The primary lure appears to be a worksheet, likely a social engineering tactic to encourage clicks on the embedded URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8428

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://inwebjor.ru/uplcv?utm_term=percentage+increase+and+decrease+without+a+calculator+worksheet
    • https://www.finestkindcharter.com/wp-content/plugins/formcraft/file-upload/server/content/files/16092910aa170a---katirilutovedikitureb.pdf
    • http://call.ae/wp-content/plugins/formcraft/file-upload/server/content/files/16081e809df75a---80715829410.pdf
    • https://www.americanapi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160708e3a7d81d---tetidemisujawevowetekaxa.pdf
    • https://specialbrands.gr/wp-content/plugins/super-forms/uploads/php/files/ffb379ee3b3f33a6256df71a955ae963/4695389198.pdf
    • http://bloomx.com/sites/all/sites/bloomx.com/files/62550053165.pdf
    • http://www.stratcareerservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/16094d9e99622e---jusasurizin.pdf
    • http://victorylimo1.com/wp-content/plugins/formcraft/file-upload/server/content/files/16085905dba235---padidusomibubonajof.pdf
    • http://www.leesii.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a497ad6c0e8---56097970775.pdf
    • https://divorcioconsensual.com.br/wp-content/plugins/super-forms/uploads/php/files/40f278838d9c94a9af427b8c9fc3fa71/69068717947.pdf
    • https://amrapalispot.com/userfiles/file/kevewezoruwe.pdf
    • https://kuechentreff-schmid.de/wp-content/plugins/super-forms/uploads/php/files/6r24dmce41t5rtsebjv8hepq9q/pudedozetemibebosamavik.pdf
    • https://geneolock.com/locktactyuma/userfiles/file/mewazudowud.pdf
    • https://www.aserspa.net/wp-content/plugins/super-forms/uploads/php/files/36gc9mfrrib0qils3k5tohcre0/natifurudele.pdf
    • http://baharemadinah.com/wp-content/plugins/formcraft/file-upload/server/content/files/16083212b642d5---94493166814.pdf
    • https://useoneconvo.com/wp-content/plugins/super-forms/uploads/php/files/0914877c6dc5af291840f0e3b0014755/59339346797.pdf
    • http://kulturazebrak.cz/userfiles/91131352148.pdf
    • http://www.homefacelifters.com/wp-content/plugins/super-forms/uploads/php/files/2a237df9dbe90e38368027370ec378b1/wijukeporeramanesobew.pdf
    • http://dmn.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16075eee8cceef---8210222824.pdf
    • http://sl-light.ru/design/img/upload/file/45420212344.pdf
    • http://midel.me/userfiles/file/xeranutupuwofesupelilojas.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e2f8.bin
37e131d25bd8624ed50dc3eb78efa1f7daddb327396d471ed448e9d91ab9804d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE2F8 5360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.