Malicious PDF — malware analysis report

Static analysis result for SHA-256 67f3e7c7efebb18d…

MALICIOUS

PDF

76.2 KB Created: 2021-09-22 19:19:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-24
MD5: 04e7b24121ef2bb614a83debef68ba69 SHA-1: 660728c6de91a86b30e394a11f77eb9c809b3599 SHA-256: 67f3e7c7efebb18dcfa18e5331853cfc52b669de8d4e2e53d5b70ff52b7a64df
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file is identified as a malicious PDF by ClamAV, exhibiting characteristics of a link farm. It contains numerous URLs pointing to potentially compromised websites or disposable hosting, suggesting an attempt to redirect users to malicious content. The presence of a 'utm_term' parameter in one of the URLs indicates a potential phishing or tracking mechanism.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4817

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/uplcv?utm_term=apk+sdk+editor PDF link annotation
    • http://plncse.hu/php_data/file/dujikusekuzirejozaxuk.pdfIn PDF document text
    • https://rmdschoolandcollege.com/wp-content/plugins/super-forms/uploads/php/files/c5b0790226a31de74788cfa449860bea/79467124519.pdfIn PDF document text
    • https://farmacieitaliane.com/documenti/file/loverowadajisumo.pdfIn PDF document text
    • http://sieuthibongda.net/ckfinder/userfiles/files/38863716840.pdfIn PDF document text
    • https://catwalkdogcome.com/editor_upload_image/file/5154862342.pdfIn PDF document text
    • https://adverto.ee/userfiles/file/gidosuwafusezomux.pdfIn PDF document text
    • https://agrotehholding.ru/wp-content/plugins/super-forms/uploads/php/files/eed27d3df2c1e7ff9463f3029146dd1a/81231743246.pdfIn PDF document text
    • http://www.niziointerior.pl/upload/file/duxajabazovedez.pdfIn PDF document text
    • http://stopguepes72.fr/userfiles/file/4345225803.pdfIn PDF document text
    • http://zhengfutz.com/v15/Upload/file/202194457257737.pdfIn PDF document text
    • http://shijijiaming.cn/filespath/files/20210909150920.pdfIn PDF document text
    • https://12shio3.com/contents/files/pisanezusewexap.pdfIn PDF document text
    • http://pastadimatteo.com/ckfinder/userfiles/files/6186061291.pdfIn PDF document text
    • https://e-uchebnici.com/img/file/gemokabidusewid.pdfIn PDF document text
    • http://unitez.net/images/newtech/files/11973889612.pdfIn PDF document text
    • http://travellerisland.com/files/konapisigisijukaxix.pdfIn PDF document text
    • http://pes.edu.mn/ckfinder/userfiles/files/27004005625.pdfIn PDF document text
    • https://loan-financial.com/wp-content/plugins/super-forms/uploads/php/files/ef57e370535bfbba73edf20895afa4bf/wemanomirofir.pdfIn PDF document text
    • https://dudikom.pl/userfiles/file/kizosimirutum.pdfIn PDF document text
    • http://sunil.kr/uploadfile/fckeditor/file/sifizoxoju.pdfIn PDF document text
    • https://lentes123.com/aym_image/files/42718616054.pdfIn PDF document text
    • https://www.loscam.com/lib_common/ckeditor/ckfinder/userfiles/files/96490886374.pdfIn PDF document text
    • http://servis-hradec.cz/files/file/9598034452.pdfIn PDF document text
    • http://aaexpansionjoint.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613f4a48c670f---woxadonajuzebukad.pdfIn PDF document text
    • http://panyuchen.com/ckfinder/userfiles/site_eachfun_com/files/durojelezepivitivoxu.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d73c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD73C 17324 bytes
SHA-256: 20429e9e637922dee25415999bc92c7da376d4576923cf154fb9b81be8e72100
font_01_sfnt_off000103ca.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x103CA 10148 bytes
SHA-256: b003d94884894ac555f0ae1bc7eed327b0edee9a131df41c90e53c55783842d3
font_02_sfnt_off00011aa1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11AA1 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1