Malicious PDF — malware analysis report

Static analysis result for SHA-256 61961cd1174c4226…

MALICIOUS

PDF

65.4 KB Created: 2021-05-28 06:11:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b050c413dcbfcda32315f20935138379 SHA-1: cb86f2494bf3e80390810c22afb0dddc3b9a2cdf SHA-256: 61961cd1174c4226b898f0e98876a80bc42847378e58599506c7d012c2f59061
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous links pointing to compromised WordPress sites, which in turn host other PDFs. This suggests a link farm designed to distribute malicious content or phish users. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports a malicious intent, likely related to phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8702

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://sindonis.com/userfiles/file/zorilibugijutuboxibutedel.pdf
    • https://www.certificagreen.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608b62ec7cc0f---lunakar.pdf
    • https://laneopx.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609ed4c86bebe---sulesakazisubopofajof.pdf
    • https://www.cr-sdc.org/wp-content/plugins/super-forms/uploads/php/files/fcf8c1a6a9468352d3e7255ea56583e9/bibomibafiki.pdf
    • http://mtlebanon62.com/clients/5/5e/5ee551a8be14a26d7d76bc5e90dd1372/File/gugeroda.pdf
    • https://www.kadinlarsitesi.org/wp-content/plugins/formcraft/file-upload/server/content/files/1606cae25e41e6---59170040631.pdf
    • https://www.parkgest.ch/wp-content/plugins/formcraft/file-upload/server/content/files/1607e61fd47a37---gimoduverexajirujisot.pdf
    • http://www.jimenez-casquet.com/wp-content/plugins/formcraft/file-upload/server/content/files/160793af5ab7d3---zolivufobeperara.pdf
    • https://alphacleanwashing.com/wp-content/plugins/super-forms/uploads/php/files/64f062a3b18be27e9fe7347519e98f7b/zixobelitudarudefawa.pdf
    • http://mognational.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072d6ba3b006---wufipalizaxafituxubafuri.pdf
    • https://psfund.org/public/uploads/files/cms_files/80404712404.pdf
    • https://alphaveneers.co.uk/wp-content/plugins/super-forms/uploads/php/files/239329990ebb36cf5e973b2c65de0810/peginizepozamepape.pdf
    • http://www.christinemartin.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16099d3f5d3a5f---vawibonivivoruri.pdf
    • http://plusbateria.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a505d857d57---fepukuvizulal.pdf
    • https://www.nordatec.com/wp-content/plugins/super-forms/uploads/php/files/2onf9s5mglgnasj1bt8qf6ukuj/bapigimuxofajesar.pdf
    • https://lasvegasrebath.com/wp-content/plugins/super-forms/uploads/php/files/a27613682367d6f9bf027087e910102b/1432019727.pdf
    • https://vaytieudungtragop.com.vn/wp-content/plugins/super-forms/uploads/php/files/696ksfrgir5abb4vsi2hf034gc/38907516596.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/A3Ryygt5BCM/uplcv?utm_term=how+to+hack+war+and+order+game
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dfc9.bin
88c67a6b884939282b8ff3fc8d3255bf375b3d7a76d03e4a865525a83361cd51		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDFC9 5260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.