Malicious PDF — malware analysis report

Static analysis result for SHA-256 60b559297d5aff04…

MALICIOUS

PDF

91.5 KB Created: 2021-10-16 16:51:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-25
MD5: bf3f3ebd9de7866ed1f8d70a21cf5b23 SHA-1: 212e35f7b96a8b05dc50e6c404a9e852acb4a0d7 SHA-256: 60b559297d5aff04619674350b3f82864e9bf2db37f5be5d96f7441dfd208ac6
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It functions as a link farm, containing numerous embedded URLs that point to compromised websites and potentially malicious content. The heuristic firings indicate a pattern of using disposable hosting and compromised CMS uploads to host these links, suggesting an attempt to distribute malware or phish for credentials.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7707

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://eatatrudy.com/uploads/files/zilamonudezamab.pdf In PDF document text
    • https://3rproject.eu/ckfinder/userfiles/files/84327575842.pdfIn PDF document text
    • https://vietcuongcorp.com/uploads/news/files/84567263088.pdfIn PDF document text
    • https://greenturtleproductions.com.au/wp-content/plugins/super-forms/uploads/php/files/a4c0b59b5369bdf39245b6815f27feee/sadogabizivejozifitiba.pdfIn PDF document text
    • https://naves.cz/res/file/mekenizaludokaxuzuweni.pdfIn PDF document text
    • https://unitjaya.com/contents/files/29875789031.pdfIn PDF document text
    • http://tnshoppingbag.com/upfiles/file/40728429671.pdfIn PDF document text
    • https://eliteswimmingpoolsinc.com/wp-content/plugins/super-forms/uploads/php/files/mg1cnvlb0i1m13s53biksa6c21/desavozixox.pdfIn PDF document text
    • https://superlitefan.com/uploads/files/60278771238.pdfIn PDF document text
    • http://cdio.vn/uploads/userfiles/file/mazefazajoxapupagun.pdfIn PDF document text
    • http://ampletrekking.com/userfiles/file/banisaripevawatusekakowat.pdfIn PDF document text
    • http://fleshlight-tw.com/userfiles/file/sevobabesufasuzevi.pdfIn PDF document text
    • https://www.novet.de/wp-content/plugins/formcraft/file-upload/server/content/files/16147a28fe78ac---xokakir.pdfIn PDF document text
    • http://qianxish.com/ckfind_image/files/xapojezer.pdfIn PDF document text
    • https://hamasataccessories.com/userfiles/files/54983581349.pdfIn PDF document text
    • http://quartierdete.fr/uploads/fckeditor/file/15868212182.pdfIn PDF document text
    • https://macleanpinesdrivingschool.com.au/wp-content/plugins/super-forms/uploads/php/files/1712459a09da62d54fb3d96de930238a/mobojutegobemoxenige.pdfIn PDF document text
    • http://nonstopsushi.com/uploads/files/xutepijevame.pdfIn PDF document text
    • http://pass38.com/images/contentimages/files/4313535177.pdfIn PDF document text
    • https://alubiasdetolosa.com/files/galeria/files/14816776398.pdfIn PDF document text
    • http://easyliveconstruction.com/ci/userfiles/files/niwikoviwajuwadogop.pdfIn PDF document text
    • http://elistaprezentow.pl/userfiles/file/47964349632.pdfIn PDF document text
    • https://bbensonmft.com/wp-content/plugins/super-forms/uploads/php/files/3baecc97cbe009cba4634ac5ec57198e/lilerofilobilaku.pdfIn PDF document text
    • https://blugarden.eu/file/pozelenokedolafofuzox.pdfIn PDF document text
    • http://pasted-radio.de/web/files/dajevuparepudaramesata.pdfIn PDF document text
    • http://feedproxy.google.com/~r/MbOu/~3/2I9n2o-U8HI/uplcv?utm_term=pure+obligation+examplePDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00014652.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14652 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1