Malicious PDF — malware analysis report

Static analysis result for SHA-256 60def1b644c61300…

MALICIOUS

PDF

63.6 KB Created: 2021-05-12 19:06:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d8fb205ee8dda5afbd195cae232166f4 SHA-1: ed26812d3150ad7cc4ce9296586b9599df97df68 SHA-256: 60def1b644c61300af683f4a04f3fe76e6ddb8a92212d81d9c6deaa0536742a4
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by multiple heuristics as malicious, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. The document contains numerous links pointing to compromised WordPress sites, suggesting it functions as a link farm to distribute phishing content or further malware. The presence of external URIs and link farm indicators strongly suggests an attempt to redirect users to malicious destinations.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9959

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pistant.ru/uplcv?utm_term=android+emulator+pc+ringan
    • https://leo-translate.com.ua/wp-content/plugins/formcraft/file-upload/server/content/files/1608851427d5b3---27382715517.pdf
    • http://www.fsnn.se/wp-content/plugins/formcraft/file-upload/server/content/files/160757991219fd---95483613419.pdf
    • https://primewestelectrical.com/wp-content/plugins/super-forms/uploads/php/files/65bf2fe893c03bf9785c2129dec48f0a/jetizarexomixonugazupexe.pdf
    • http://kraljicabih.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608263893110a---vexuw.pdf
    • http://www.birapart.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609838ceed550---50325114803.pdf
    • http://freemansphotography.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609534c5d76d7---kadinolifesunaxovas.pdf
    • http://www.phonefixcomo.com/wp-content/plugins/formcraft/file-upload/server/content/files/16082f5cd908c8---banibo.pdf
    • http://zadonskiy.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1606fd0ce2cb59---13608351333.pdf
    • http://www.maarsehoveniers.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16083e4a952a40---nubanejosulavovarewojufo.pdf
    • https://beautifullifeuk.com/wp-content/plugins/super-forms/uploads/php/files/ee24ca0b778657237899e541f9b4fffe/19154945245.pdf
    • https://ivfnna.gr/wp-content/plugins/super-forms/uploads/php/files/6c2549993842f539a3bf4eeccf56591f/85191604474.pdf
    • https://arizonapoolcontractor.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608f6d9da25f1---28681156045.pdf
    • http://suportti.com/wp-content/plugins/formcraft/file-upload/server/content/files/16091f91a8ccf3---nokivilanememupotejig.pdf
    • https://vallejardin.com/wp-content/plugins/super-forms/uploads/php/files/8e5bd62fcab7dd883317144da4361091/rifesumewofotajo.pdf
    • http://jeugdopdewetenschapsagenda.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160730e33269ce---98956241031.pdf
    • https://www.reliancecareuk.com/wp-content/plugins/super-forms/uploads/php/files/a99e69cd22860f81b88816cbd6adecef/lobabizawebavoxexi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d24b.bin
afbc6986c059def273dbfaccc0b5673cbfbb494999f6753bdaa1541ceb393999		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD24B 5204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.