Malicious PDF — malware analysis report

Static analysis result for SHA-256 60d79b90f942892c…

MALICIOUS

PDF

105.4 KB Created: 2021-07-21 05:36:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: ecadad1127c217a719750d97495f8f63 SHA-1: 392faee93464c04f623ca1b704bbf1f533d73e95 SHA-256: 60d79b90f942892c663cd2a917071a8b722aead1ef5ccfe11856154d27c7bbe7
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous links to external websites, many of which are hosted on compromised CMS platforms or disposable domains, suggesting a link farm designed to redirect users to malicious content. The presence of multiple PDF link farm heuristics and embedded URLs points towards a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6663

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://anhbanglaw.com/userfiles/file/tugomoregosunalig.pdf In PDF document text
    • http://www.canadiantreasurer.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b3ff793a096---magobigojafoximawixilu.pdfIn PDF document text
    • https://elpmarketing.ca/wp-content/plugins/super-forms/uploads/php/files/a9cf05a00c42f65edadf191a8fa3d750/maxijakikeraw.pdfIn PDF document text
    • http://www.anjhimayath.com/upload/file/begefowewawigobojofo.pdfIn PDF document text
    • https://giolog.biz/images/bulk_images/files/8125357110.pdfIn PDF document text
    • https://hizlipin.com/calisma2/files/uploads/5359561954.pdfIn PDF document text
    • http://www.nowsingapore.co.id/wp-content/plugins/formcraft/file-upload/server/content/files/1609cb10d69341---gumit.pdfIn PDF document text
    • https://cape-electronics.com/media/file/56714529633.pdfIn PDF document text
    • http://mijneigenlift.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1607079a0bef12---xabigavosip.pdfIn PDF document text
    • http://ipvoicenj.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607fb52904058---61353127268.pdfIn PDF document text
    • http://brandnewgoods.net/userfiles/file/68328781363.pdfIn PDF document text
    • http://orchid-daikanyama.com/userfiles/file/silonolidugazoridijiva.pdfIn PDF document text
    • https://stcatherine.ac.ug/wp-content/plugins/formcraft/file-upload/server/content/files/160811f6b2ba0d---53016916832.pdfIn PDF document text
    • https://dietacud.eu/upload/file/powakewon.pdfIn PDF document text
    • https://www.mercato.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160815b6798645---musopadaniwulubu.pdfIn PDF document text
    • http://www.hcibatiment.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1608a3e8d7b459---jozuvozaluxuwigu.pdfIn PDF document text
    • http://seanmore.com/userData/board/file/93316957057.pdfIn PDF document text
    • http://quickvideo.nl/userfiles/file/tipodebinade.pdfIn PDF document text
    • https://calldidocta.com/wp-content/plugins/super-forms/uploads/php/files/408afad2b18e0a3ad2e64052e85b968f/sutulado.pdfIn PDF document text
    • https://rffsev.ru/wp-content/plugins/super-forms/uploads/php/files/3332eadd0b6e8d362f5defa9a3af6053/99713691411.pdfIn PDF document text
    • http://skyline64reunion.com/clients/e/ec/ec378541aa9b73e2b99de5ca5545ec21/File/wimebijatulovan.pdfIn PDF document text
    • http://doks-films.com/pcms/content/file/52947953719.pdfIn PDF document text
    • https://www.sidertest.it/wp-content/plugins/formcraft/file-upload/server/content/files/160ec4af584188---biwagunefevenedusab.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/zMnd8XtcwSM/uplcv?utm_term=t%26t+nails+pricesPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001791f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1791F 19708 bytes
SHA-256: aca8d4549f1c181d0efe2c2f0d7c3cc08b136d6e4a868fee4e677e54126c8430

Open this report in the interactive analyzer, or submit your own file for analysis.