Malicious PDF — malware analysis report

Static analysis result for SHA-256 60e3dff7f6e6d0b1…

MALICIOUS

PDF

61.3 KB Created: 2021-05-03 00:47:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 38bee0a0fc74ad6cb19e7e9571305b52 SHA-1: c8dbabf80bd80e192c5c98d582c5faa7add2878b SHA-256: 60e3dff7f6e6d0b1aa8d1cfd678b03f2d40d6aacb34d2e6323a156910b795d50
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous links to external websites, many of which are hosted on compromised WordPress installations. The heuristic firings indicate this is a link farm designed to direct users to potentially malicious content, and ClamAV detected it as a phishing trojan. The document body, though heavily obfuscated, suggests a lure related to an 'installation guide'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8016

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kirks-pool.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607bac78e1b33---gokasave.pdf
    • https://freedomtampons.com/wp-content/plugins/super-forms/uploads/php/files/4e042bc0ee9c70a7ca9bd218c5b616a4/3622768562.pdf
    • http://www.movingintofreedom.com/wp-content/plugins/formcraft/file-upload/server/content/files/16073ef4c20802---75550916162.pdf
    • https://fitnessrev.net/wp-content/plugins/super-forms/uploads/php/files/6n2qao5b3cdvnumv2lfihkcc1n/vitiwijuvurot.pdf
    • https://spencershaulageltd.co.uk/wp-content/plugins/super-forms/uploads/php/files/1a0cad1bf668d678985d7d26852efd03/daxezuk.pdf
    • https://www.sabiamente.es/wp-content/plugins/formcraft/file-upload/server/content/files/1607010e905bea---sukobas.pdf
    • https://www.cdscabling.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1606f27f16a7bc---zalizifilu.pdf
    • https://www.ikedatosou.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c732e191ae---zigatofavozepitim.pdf
    • http://www.adanakursmerkezi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607d63957b754---zosulaguzujuxuzapujutorix.pdf
    • https://travelselection.us/wp-content/plugins/formcraft/file-upload/server/content/files/1606f0afec804a---88325218912.pdf
    • https://amirep.com/wp-content/plugins/super-forms/uploads/php/files/e678645df0ba160942d52d6b3d7d2a50/98263749858.pdf
    • https://cradlegold.com/wp-content/plugins/super-forms/uploads/php/files/pu8g7c55duahrjblm844l75n68/52150303890.pdf
    • https://www.americanapi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606ccbf69bbf4---16125601045.pdf
    • https://alfa-clining.ru/wp-content/plugins/super-forms/uploads/php/files/3c55af28b3b9ea906010bb8a19ac813f/54659839386.pdf
    • http://www.cuadernos.in/wp-content/plugins/formcraft/file-upload/server/content/files/1607633f3264cf---topasuv.pdf
    • https://www.dazzlingdecor.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1608dec1f2f645---miwowupat.pdf
    • http://104.156.58.56/~web2inbox/wp-content/plugins/formcraft/file-upload/server/content/files/16087af4b0d938---kivibexamufeje.pdf
    • https://www.modianodesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606ccff06ed3d---saxefamevibudirolovala.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/Uplcv/~3/Om9ozkHLxGw/uplcv?utm_term=focused+insight+installation+guide
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000da4b.bin
2bfc20cfd9e30ba30214383d5dd7d6233b30f885092e4a1f1acd1d6d8c84dc7f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDA4B 5060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.