Malicious PDF — malware analysis report

Static analysis result for SHA-256 66146167476b01a5…

MALICIOUS

PDF

67.1 KB Created: 2021-07-16 15:16:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-22
MD5: da5078c82a3d8e0f48d32cb230702ba4 SHA-1: 1ab4e94e3ee4c7121cf0b33bdf0377b5f5e6faf0 SHA-256: 66146167476b01a5978dd4ec6aeda6acafc310a3808799a6d8078e3be7095ec0
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and an ML classifier. It functions as a link farm, containing numerous URLs that point to compromised CMS upload directories. These links likely serve as a distribution point for phishing content or further malware. The presence of multiple links on potentially compromised sites suggests a broad-reach malicious campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7463

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://udachi.co.th/wp-content/plugins/super-forms/uploads/php/files/vn4sejr6qof7vel59d2h6ne3lh/baxopelugujedipum.pdf In PDF document text
    • https://expresstestingatl.com/wp-content/plugins/super-forms/uploads/php/files/3b4365008d401dd7613da6eee21d5366/567847811.pdfIn PDF document text
    • https://aykutemlak.com/upload/ckfinder/files/nofovuzavalavafof.pdfIn PDF document text
    • http://yeosingol.com/FileData/ckfinder/files/20210703_25A7D2786EB14FA4.pdfIn PDF document text
    • https://canadianrelocation.net/wp-content/plugins/formcraft/file-upload/server/content/files/160831eb2782c2---fawososaxitupojabijenomu.pdfIn PDF document text
    • https://118highschool.am/wp-content/plugins/super-forms/uploads/php/files/54e6198021d371c834ebc0670f552e02/jirogujelizubure.pdfIn PDF document text
    • https://www.perfumista.co.uk/wp-content/plugins/super-forms/uploads/php/files/163a824f00d720a1c6919df592f6511c/taretaruludip.pdfIn PDF document text
    • http://saamfactory.com/wp-content/plugins/super-forms/uploads/php/files/fcc8b458be5f17716b6cfd10d0cf2c0e/68727602971.pdfIn PDF document text
    • http://wanyuantemple.tw/userfiles/file/84322743674.pdfIn PDF document text
    • http://mp-journal.com/media/file/baxadexeze.pdfIn PDF document text
    • http://zadonskiy.ru/wp-content/plugins/formcraft/file-upload/server/content/files/16090f073521cd---48681571844.pdfIn PDF document text
    • https://teenvolunteerdallas.org/wp-content/plugins/super-forms/uploads/php/files/9048c9dd7aae63510c60d5b4991713d6/9684543361.pdfIn PDF document text
    • https://amirep.com/wp-content/plugins/super-forms/uploads/php/files/627cd68b0c6003f8ba3f9b17595b0dc8/91902123648.pdfIn PDF document text
    • http://argra.rs/wp-content/plugins/formcraft/file-upload/server/content/files/1607a13b899699---53269882609.pdfIn PDF document text
    • https://www.gml.de/wp-content/plugins/formcraft/file-upload/server/content/files/160b4a26d3ad34---bekugozu.pdfIn PDF document text
    • http://sbsinternationalschool.org/sbsisnew/userfiles/file/93541394719.pdfIn PDF document text
    • https://travels-ukraine.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c34695524f8---nipifamaxavajinonojoba.pdfIn PDF document text
    • https://www.xcelsus.de/wp-content/plugins/formcraft/file-upload/server/content/files/16092ad1240105---zalorapetipe.pdfIn PDF document text
    • https://voicelux.ru/wp-content/plugins/super-forms/uploads/php/files/9810dee2114acd26e0044fb758732752/sumuwiveviw.pdfIn PDF document text
    • http://aep-tc.com/cache/fck_files/file/85563196666.pdfIn PDF document text
    • https://mamproducciones.es/wp-content/plugins/formcraft/file-upload/server/content/files/1608968be9fe4b---vivelejazegijenawiteku.pdfIn PDF document text
    • http://www.jhannahs.com/wp-content/plugins/formcraft/file-upload/server/content/files/160af54e789bda---39714554515.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/LPIa9PGmDLg/uplcv?utm_term=beef+stroganoff+without+cream+of+mushroom+soupPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f694.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF694 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1