Malicious PDF — malware analysis report

Static analysis result for SHA-256 626fd6d6f25e51fd…

MALICIOUS

PDF

74.9 KB Created: 2021-09-07 18:07:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: 3b9f752ac3b2eac10fca802193de0025 SHA-1: b09c75655896281756cb85239e97969db6799b7b SHA-256: 626fd6d6f25e51fd5c15ad329fdf00b11172ff467230c159573dbe0c01589a67
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a link farm, directing users to numerous external websites. Several of these links point to compromised WordPress upload directories, indicating a potential phishing or malware distribution scheme. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports the malicious nature of this document.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4750

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.radeton-cz.vasestranky.cz/ckfinder/userfiles/files/kopigetopusuxukifin.pdf In PDF document text
    • https://georgiamusicpartners.org/wp-content/plugins/super-forms/uploads/php/files/be00d98f9c1f2d1f8af802fa40f75608/xumikimoxenux.pdfIn PDF document text
    • http://hotstamping.pl/files/file/witesivixokel.pdfIn PDF document text
    • https://www.beadvised.co.uk/wp-content/plugins/super-forms/uploads/php/files/5c29b42335e7f837a9e103e56d875855/4592298341.pdfIn PDF document text
    • http://eviljoy.com/UserFiles/File/59936806897.pdfIn PDF document text
    • http://dianacb.cz/userfiles/file/jutazusadiwovadomojin.pdfIn PDF document text
    • http://camel-republic.com/media/userfiles/files/kokopiraxoxoz.pdfIn PDF document text
    • https://at-studio.tw/app/webroot/userfiles/files/20210831_105403.pdfIn PDF document text
    • http://amandamaitland.com/images/file/32038142159.pdfIn PDF document text
    • http://cioccolatogallucci.it/userfiles/file/34370738396.pdfIn PDF document text
    • http://reiki-roots.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160a251fd217e8---sajoponagudodudawulugorej.pdfIn PDF document text
    • https://www.generalutilities.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c019a780e10---93204425588.pdfIn PDF document text
    • https://yuss.it/file/3647655396.pdfIn PDF document text
    • http://farmaciacogliate.it/userfiles/files/32352641077.pdfIn PDF document text
    • http://indago-rovigo.it/userfiles/files/keguxuguramasodinas.pdfIn PDF document text
    • https://247christianity.org/fckeditor/userfiles/file/398048015451620484292.pdfIn PDF document text
    • http://www.onegelha.com/wp-content/plugins/super-forms/uploads/php/files/59372204b6704d3394ef16e8cbc5538d/40846477922.pdfIn PDF document text
    • http://theaterbuehne-schwandorf.de/userfiles/file/ruguj.pdfIn PDF document text
    • http://www.yourhealthyourchoice.org/wp-content/plugins/formcraft/file-upload/server/content/files/160a611da4d272---jajopovasadexe.pdfIn PDF document text
    • https://securityguardsupply.net/php/uploads/file/pasifusesoximajafo.pdfIn PDF document text
    • https://oicenglish.com/imagexx/files/desevutofuxomev.pdfIn PDF document text
    • http://n-production.com/upload/fckeditor/file/24329257418.pdfIn PDF document text
    • https://www.beadvised.co.uk/wp-content/plugins/super-forms/uploads/php/files/d6510879772101d10e617584a9be8a45/72712942023.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/BvfzZFkJO3s/uplcv?utm_term=batch+convert+epub+files+to+pdfPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d19d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD19D 11076 bytes
SHA-256: e7fb36ea7c80f44cd6af8c0004e873af47f6e5cc31930669dd07cd2a435c265d
font_01_sfnt_off0000eb2b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEB2B 17488 bytes
SHA-256: 2573a0b3c926ddca7acc7a2d59e12fa1c8f1667994e35c32d272f85e51a02af0