Malicious PDF — malware analysis report

Static analysis result for SHA-256 69c2ba294f167889…

MALICIOUS

PDF

56.8 KB Created: 2021-09-26 16:55:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-24
MD5: 7677cc2826485e97422f25a789315b70 SHA-1: d057391ff75f441a543c7506d7d211df00f83540 SHA-256: 69c2ba294f1678899943a302559acdca9bede293e431a805a1774d7395ba330f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous external URIs and embedded links, many of which point to compromised WordPress sites or disposable hosting, characteristic of a link farm used for phishing or malware distribution. The presence of PDF_SEO_DISPOSABLE_LINK_FARM and PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM heuristics further supports this. No scripts were extracted, but the structure and embedded links strongly suggest a phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8486

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://synerhu.ru/uplcv?utm_term=prom+night+2008+full+movie+online+free PDF link annotation
    • http://ortopediaszombathely.hu/editor_up/burisexovin.pdfIn PDF document text
    • http://satakantaresort.com/user_img/files/80813349552.pdfIn PDF document text
    • http://urs-certification.com/gais/image/file/wezazonuwipefuzor.pdfIn PDF document text
    • https://zenmobile.in/jaipriyart/uploads/files/12123930620.pdfIn PDF document text
    • http://nenayu.com/filespath/files/20210926214528.pdfIn PDF document text
    • http://bachova-terapia.sk/images/file/lufomogezozedesivuk.pdfIn PDF document text
    • https://vinacomvietnam.vn/uploads/news_file/55293496539.pdfIn PDF document text
    • https://izr.fr/files/18194465263.pdfIn PDF document text
    • https://www.agencesramos.com/ckfinder/userfiles/files/9582183216.pdfIn PDF document text
    • http://say-international.eu/userfiles/file/giforuwun.pdfIn PDF document text
    • https://propbrains.com/wp-content/plugins/super-forms/uploads/php/files/efbfbda4c98ab300c31d4603929417a7/35709567814.pdfIn PDF document text
    • https://cananalimdar.com/wp-content/plugins/super-forms/uploads/php/files/741ehhioa29p7jjhctlnvmqlub/42475541078.pdfIn PDF document text
    • http://www.restorationservice.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1613f3acfba528---gipaki.pdfIn PDF document text
    • https://www.agcontraincendios.es/ckfinder/userfiles/files/85169340967.pdfIn PDF document text
    • http://www.logistiekverbeteren.nl/ckfinder/userfiles/files/mudofaj.pdfIn PDF document text
    • http://hakasasi.id/userfiles/file/29978727036.pdfIn PDF document text
    • http://grani-tonkogo-mira.ru/wp-content/plugins/super-forms/uploads/php/files/8b4eb78ad018ec839e82e6d6f2c4516c/2241641542.pdfIn PDF document text
    • http://zaiger.ru/img/file/67173677644.pdfIn PDF document text
    • http://ebrinteractive.com/userfiles/file/29715133824.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a92e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA92E 10948 bytes
SHA-256: e29fc525fd2b880e868682644c86fc35b48065d1d5a0d904612bb1b866c33027
font_01_sfnt_off0000c26d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC26D 14860 bytes
SHA-256: 1a83484e19dc735e974a266db98b1392a292d723cc68151f04e5ced0e542b64f