Malicious PDF — malware analysis report

Static analysis result for SHA-256 61ab0631bbe0a9a8…

MALICIOUS

PDF

105.0 KB Created: 2021-04-28 03:03:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ee647585fe35791da868e8a920c44013 SHA-1: 5c942c71554a6f3788ea4b9dade7a11f4b9b404c SHA-256: 61ab0631bbe0a9a820bc0bfda6f8a9b181d84ac93b1adf05824f61d5840434e3
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file was detected by ClamAV as Pdf.Phishing.Trojan. Static analysis revealed multiple heuristics indicating a link farm hosted on compromised WordPress sites. These links likely serve as a lure to redirect users to malicious or phishing content, aligning with common phishing tactics.

Machine Learning

  • Nyx PDF Classifier clean score 0.1666

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://aguiapromocional.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16084e82ae5538---tasanonemutoz.pdf
    • https://www.revistadefiesta.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606efb06e3a8b---xidegixikakagim.pdf
    • https://cald-lighting.com/wp-content/plugins/super-forms/uploads/php/files/ffc61409066a4e854044983644abea96/64238844913.pdf
    • https://puertoestereo.com/wp-content/plugins/super-forms/uploads/php/files/dpq553otnq4a3gt4qniu7n0q2q/darexavojesigepikipok.pdf
    • https://www.inter-tube.co.uk/wp-content/plugins/super-forms/uploads/php/files/5c6112d8ba36988df52213d84ede1440/14900241694.pdf
    • http://www.nuricomuvakfi.org/wp-content/plugins/super-forms/uploads/php/files/i2ed50tofmbd772p62idvnemr0/rorizejerod.pdf
    • http://www.x454.com/wp-content/plugins/super-forms/uploads/php/files/47cb98kcvkl4dqfso3050dp312/37573998311.pdf
    • https://www.sixteengrams.com/wp-content/plugins/super-forms/uploads/php/files/3gj7p7qrnfpn1no81ii7n9na0b/nomomuvajirevokolife.pdf
    • http://lavera.it/wp-content/plugins/formcraft/file-upload/server/content/files/1607cab7577996---34858284411.pdf
    • http://www.kindytennis.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607433d447ea1---tepavurupoxalad.pdf
    • https://www.finestkindcharter.com/wp-content/plugins/formcraft/file-upload/server/content/files/16084939ca6dbe---budadasefifusogoj.pdf
    • http://thefutureofgolf.eu/wp-content/plugins/formcraft/file-upload/server/content/files/1607a267669235---81536361108.pdf
    • https://udachi.co.th/wp-content/plugins/super-forms/uploads/php/files/g65vaoatrjq6alam54bjf1h51q/didiberudetagupa.pdf
    • http://www.belladermeestetica.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607788d201947---80393152989.pdf
    • https://pensiuneavlasin.ro/wp-content/plugins/super-forms/uploads/php/files/4lf9b16s7409lu58df7tuut2ui/16515288794.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1KS0DP0cxss/uplcv?utm_term=compound+subject+and+predicate+worksheets+answers
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012bf6.bin
b2bdb25d444498b9eac69dd75984c0cd0b37288b77f0ccbbef0f13a65445a2a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12BF6 4276 bytes
font_01_sfnt_off00013b08.bin
0f0e020e505ff8cfb99773077ab0e0a8ca8faf858e7322dd21644dc437e4f654		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13B08 5556 bytes
font_02_sfnt_off00014dc9.bin
9de6465daa71cfcdc06f663cc4987b59ae71f49c732b5db71eab751e3c5eba37		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14DC9 13412 bytes
font_03_sfnt_off00017b5e.bin
ee75143d0abd7af26be7cd0234bd44d9f01ba5480dfb2b0835920ec169f2da3c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17B5E 16320 bytes
font_04_sfnt_off0001911d.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1911D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.