Malicious PDF — malware analysis report

Static analysis result for SHA-256 5f173d0bc52a6445…

MALICIOUS

PDF

130.5 KB Created: 2021-09-08 07:01:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14
MD5: afb7c12b5dd0a33e0c0beccdb59d9081 SHA-1: e570449914e971c1592b6b55139b0cc824d363dc SHA-256: 5f173d0bc52a6445c919e5aa2a41311cdae3df8b2faf429a64297fa793e4d908
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is a PDF containing embedded JavaScript, which is a common technique for delivering malicious content. It also contains numerous links to compromised WordPress sites, suggesting a link farm used to obscure the true destination or host malicious files. ClamAV detection and ML classification strongly indicate malicious intent, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8863

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lotuscourtpune.com/wp-content/plugins/super-forms/uploads/php/files/1crfk4oh5bnhjh27c8slltl714/76456374676.pdf In PDF document text
    • http://xn--80aafbkbafwdti1ahihccrg.xn--p1ai/pict/file/fifirovukinapewevasuka.pdfIn PDF document text
    • http://andreevmag.com/wp-content/plugins/super-forms/uploads/php/files/0c3525375c5080dff8ed0d7fd15606d4/51760015412.pdfIn PDF document text
    • https://www.colegiodesafio.net/home/wp-content/plugins/formcraft/file-upload/server/content/files/160c8dc88a8634---53264782686.pdfIn PDF document text
    • http://pkynfe.net/userfiles/file/fupawiwuw.pdfIn PDF document text
    • http://www.artefuoricentro.it/js/lib/ckfinder/userfiles/files/61740561431.pdfIn PDF document text
    • http://plenaadoracao.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1606c7bff5b683---12679754850.pdfIn PDF document text
    • http://meechoktoolmart.com/user_img/files/pagaselowa.pdfIn PDF document text
    • https://abeess.com/userfiles/file/zegagaro.pdfIn PDF document text
    • https://vydavatelstvoklett.sk/userfiles/file/dujugufujuk.pdfIn PDF document text
    • http://www.alfainstal.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160e136de7c9ac---60264781767.pdfIn PDF document text
    • http://philippinesroadshow.com/wp-content/plugins/super-forms/uploads/php/files/b1351e508fb304d9e163e60ec884d121/66104558004.pdfIn PDF document text
    • https://www.traveltimevipp.com/wp-content/plugins/super-forms/uploads/php/files/a04350c3db564051ccefe4153c592121/3367175297.pdfIn PDF document text
    • https://davidfoleyinc.com/userfiles/file/22612827957.pdfIn PDF document text
    • http://pathtojanna.com/userfiles/files/vawana.pdfIn PDF document text
    • http://rigassprotes.lv/uploadz/file/nitanasenaw.pdfIn PDF document text
    • https://dfa-finanz.de/wp-content/plugins/formcraft/file-upload/server/content/files/160774db371e10---givuxaxokozujaw.pdfIn PDF document text
    • http://marmaraisg.com/images_upload/files/36984971354.pdfIn PDF document text
    • http://www.studiolegalefusimorelli.com/wp-content/plugins/formcraft/file-upload/server/content/files/1612203487bc50---66314324778.pdfIn PDF document text
    • http://cserepakcio.hu/xdata/file/vibirulepipobotofaguxikek.pdfIn PDF document text
    • http://amirafouad.com/uploaded_files/file/debefabumotunuvat.pdfIn PDF document text
    • https://wholisticvibrations.com/wp-content/plugins/super-forms/uploads/php/files/8fadb449a2cea744516dba28d6798485/1779179833.pdfIn PDF document text
    • http://packagingandfoodmachinary.com/userfiles/file/dilixepo.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/3CAf4wW3hvY/uplcv?utm_term=micrologix+1000+user+manualPDF link annotation

Open this report in the interactive analyzer, or submit your own file for analysis.