Malicious PDF — malware analysis report

Static analysis result for SHA-256 67b0ade18f4437a7…

MALICIOUS

PDF

62.3 KB Created: 2021-09-16 05:47:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-25
MD5: 98603701565a512e9af0b4c7142617c8 SHA-1: 74af82250ede63e3bf9728c1444447cf2aeff54d SHA-256: 67b0ade18f4437a7d8cf6ace06917c8f01097c88f2a4b5a58baed9f43cbccc74
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristics reveal it functions as a link farm, directing users to multiple compromised WordPress upload directories and disposable hosting sites. The embedded URLs, such as 'https://synerhu.ru/uplcv?utm_term=how+can+i+make+my+phone+4g', are likely used to distribute phishing content or further malware. No scripts were extracted, but the PDF structure itself facilitates the attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6508

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://synerhu.ru/uplcv?utm_term=how+can+i+make+my+phone+4g PDF link annotation
    • http://www.mkkdigital.pt/wp-content/plugins/formcraft/file-upload/server/content/files/16132c424731cb---1108881165.pdfIn PDF document text
    • https://shining4u.com/wp-content/plugins/super-forms/uploads/php/files/a8d4264cf14f9a344b009c22d1c7ff9c/jodoxemekujibovimudur.pdfIn PDF document text
    • https://homestayhoian.vn/uploads/image/files/xagiwot.pdfIn PDF document text
    • http://kisito.com/userfiles/file/36297593819.pdfIn PDF document text
    • https://www.quatainvestimentos.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/161396f5342438---14214774628.pdfIn PDF document text
    • https://acethamessecurity.co.uk/wp-content/plugins/super-forms/uploads/php/files/6ec60b3031e18e53f92293cfb39d4273/fanojitigivuziju.pdfIn PDF document text
    • https://happy-playground.gr/uploads/_uploads/files/78976164557.pdfIn PDF document text
    • https://polaria.cz/images/file/2254518337.pdfIn PDF document text
    • http://novo-foto.ru/ckfinder/userfiles/files/52978975739.pdfIn PDF document text
    • http://fine-trading-knotwork.de/uploads/media/29222853020.pdfIn PDF document text
    • http://wamer.org/userfiles/file/jebamamosamemavunalojexa.pdfIn PDF document text
    • http://ambulatorioveterinarioilprato.eu/userfiles/files/newuxidupudopa.pdfIn PDF document text
    • http://marketypik.pl/zdjecia/fck/file/26830058854.pdfIn PDF document text
    • http://marchmontnews.com/imgs/file/26971326743.pdfIn PDF document text
    • https://kanat.com/upload/ckfinder/files/votuzewosobijezeridik.pdfIn PDF document text
    • http://gzwep.com/img/file/202191462610.pdfIn PDF document text
    • https://pinkrali.com/calisma2/files/uploads/28635180925.pdfIn PDF document text
    • http://bjjiffy.com/upload/51228178455.pdfIn PDF document text
    • http://mountmedpharmacy.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/16137854715b30---16145642881.pdfIn PDF document text
    • https://newat.ru/wp-content/plugins/super-forms/uploads/php/files/cba5a3fe77a6468da72008392e409837/25326320432.pdfIn PDF document text
    • http://monthclean.com/uploads/files/202109060718238988.pdfIn PDF document text
    • https://www.uflo.edu.ar/ckfinder/archivos/documentos/xidik.pdfIn PDF document text
    • http://catherine-massage.com/ckfinder/userfiles/files/sivexegawajujas.pdfIn PDF document text
    • https://kampusogrenciyurdu.com/file/lutifapodomesalodakevere.pdfIn PDF document text
    • https://tocgia247.com/wp-content/plugins/super-forms/uploads/php/files/sm6tujabh38djco79ak8nrgjuh/fidifarerunumugujazemus.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b1da.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB1DA 14512 bytes
SHA-256: a69e97b9103885cd88f0e6aba304018a26c0ce74fe0e5ce513893cc9a9ae56c5
font_01_sfnt_off0000d5d8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD5D8 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.