Malicious PDF — malware analysis report

Static analysis result for SHA-256 60c6bf96b3a9b571…

MALICIOUS

PDF

79.3 KB Created: 2021-10-11 19:19:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-25
MD5: cb7c2da637ada047e3b23365bd2b1a78 SHA-1: c0c188d0e00238902b70ece03bc7f9feadf8ce49 SHA-256: 60c6bf96b3a9b57135dc0253b500ab2972c459b72a3cbd87b43e0da527b6200b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. Heuristics indicate it functions as a link farm, directing users to multiple compromised CMS upload URLs. These URLs likely serve as landing pages for phishing attempts or to host further malicious payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6220

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nhaban24h.com.vn/wp-content/plugins/super-forms/uploads/php/files/47f9t0mp4cekmebh9n2l99n1ha/paxipizafaluwo.pdf In PDF document text
    • http://yushendesign.com/images_fck/file/1631914595.pdfIn PDF document text
    • http://phamtrangia.com/upload/files/wapenipikixe.pdfIn PDF document text
    • http://fruitvita.com/files/files/xebetewojerig.pdfIn PDF document text
    • https://leresto-niort.fr/images/userfiles/files/tofetapabamunamowapuke.pdfIn PDF document text
    • http://gcsiva.com/files/userfiles/file/30472915558.pdfIn PDF document text
    • http://logtech.cz/foto/Image/file/6004195349.pdfIn PDF document text
    • https://deconkhoemanh.com/wp-content/plugins/super-forms/uploads/php/files/u8477imt8ge9ekt0f0o6crbka2/76195259999.pdfIn PDF document text
    • https://dermo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1616104ddbf99a---lunigosivefikamoxenolede.pdfIn PDF document text
    • https://www.unicodesystems.com/wp-content/plugins/super-forms/uploads/php/files/h5lhnghr220fhbmf510cm72nj5/kipafiv.pdfIn PDF document text
    • http://www.ximangsongthao.com.vn/app/webroot/uploads/files/nuxejok.pdfIn PDF document text
    • http://bargiel.com.pl/ckfinder/userfiles/files/93563404288.pdfIn PDF document text
    • http://closehorses.com/userfiles/file/39101444283.pdfIn PDF document text
    • https://postelezmasivu-ostrava.cz/ckfinder/userfiles/files/xunuzoxowutusalajol.pdfIn PDF document text
    • http://infoguard.ru/content/file/pafudasasakupasanipoto.pdfIn PDF document text
    • https://888nv.ru/userfiles/file/36659530483.pdfIn PDF document text
    • https://rezilta.com/psum/admin/userfiles/file/55278615520.pdfIn PDF document text
    • http://baigeleather.com/userfiles/file/nivasivosum.pdfIn PDF document text
    • https://estoniapools.com/contents/files/77326661327.pdfIn PDF document text
    • http://hotel-gerard-dalsace.com/upload/document/46882005096.pdfIn PDF document text
    • https://ijp2.com/contents/files/28410902321.pdfIn PDF document text
    • https://www.uflo.edu.ar/ckfinder/archivos/documentos/45321229264.pdfIn PDF document text
    • https://b2bircruise.travflex.com/bot/ckfinder/uf/files/68843868862.pdfIn PDF document text
    • http://isisthailand.org/file_media/file_image/file/fonotogezizeborafaroke.pdfIn PDF document text
    • http://design-klasse.de/ckfinder/userfiles/files/26628384551.pdfIn PDF document text
    • http://feedproxy.google.com/~r/Xvkpad/~3/vItLtdF7Pec/uplcv?utm_term=is+hcl+a+covalent+compoundPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e446.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE446 10704 bytes
SHA-256: 80a839f3595a5b7b4759eb9b33cf70122d53ae90b96ce1dd5a55494f9e768ae7
font_01_sfnt_off0000fcb9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFCB9 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off000114cb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x114CB 18896 bytes
SHA-256: 00ede5c754b4ae75e89425f4460d4883b8ab9934f85e091808e9d6583c14cd4f