Malicious PDF — malware analysis report

Static analysis result for SHA-256 6b659704ee191255…

MALICIOUS

PDF

58.1 KB Created: 2021-09-16 21:18:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-23
MD5: 65c90eb6a5ab7c8a57465e5785798172 SHA-1: b9e6e9c20358a5986af3af10e45d2472e670aeae SHA-256: 6b659704ee191255b345a3c9220131b6396577121b93c76238191490ab6c0888
132 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected by ClamAV as Pdf.Phishing.Trojan. It contains embedded JavaScript and a link farm pointing to multiple distinct hosts, some of which appear to be compromised WordPress sites. The URLs suggest a pattern of redirecting users to download files or visit potentially malicious content, consistent with phishing or malware distribution campaigns.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4489

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://archism.ru/uplcv?utm_term=tap+to+wake+apk PDF link annotation
    • http://borisovhlebprom.by/var/upload/file/gofuvekelidim.pdfIn PDF document text
    • https://eqonetech.com/upload/userfiles/files/gomasanup.pdfIn PDF document text
    • https://euronet.stonavka.cz/webpagebuilder/ckfinder/userfiles/files/86815402102.pdfIn PDF document text
    • https://motelandratecuci.ro/userfiles/file/pezapiniro.pdfIn PDF document text
    • https://familienbilstrup.dk/userfiles/file/logonilejonuninatufaj.pdfIn PDF document text
    • http://orel-trinity.ru/sites/default/files/file/rerononitexelemelisefex.pdfIn PDF document text
    • http://kco.su/userfiles/file/56672916946.pdfIn PDF document text
    • http://melissajacksonmd.com/wp-content/plugins/formcraft/file-upload/server/content/files/1612f512442700---vetepidaworuviwatakum.pdfIn PDF document text
    • https://lordoptika.hu/files/files/momifalegepozejule.pdfIn PDF document text
    • https://klingende-zeder.de/wp-content/plugins/formcraft/file-upload/server/content/files/16139ae08004d6---87715059361.pdfIn PDF document text
    • http://faithleader.org/js/ckfinder/userfiles/files/47760239175.pdfIn PDF document text
    • https://felicityokolo.com/file/fomifaponekefipo.pdfIn PDF document text
    • https://zibarajabi.com/cache/fck_files/file/tuxava.pdfIn PDF document text
    • http://camel-republic.com/media/userfiles/files/segenufobunubilusugoja.pdfIn PDF document text
    • http://pileshoppen.dk/userfiles/file/dofuwojupudimas.pdfIn PDF document text
    • https://thanaclusterwestgate.leaddeehub.com/userfiles/files/46736086832.pdfIn PDF document text
    • https://divinenine.net/userfiles/file/lurajikaxelakofiw.pdfIn PDF document text
    • http://www.fullertherapy.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613d65813a8ea---giledeled.pdfIn PDF document text
    • http://rbc-bezorgdiensten.nl/upload/penepunu.pdfIn PDF document text
    • https://greenturtleproductions.com.au/wp-content/plugins/super-forms/uploads/php/files/3c1a6790feb7226708df91c5d593f900/dixoxu.pdfIn PDF document text
    • https://kipass.fr/userfiles/file/42951844025.pdfIn PDF document text
    • https://isabellepieman.com/userfiles/file/80321851603.pdfIn PDF document text
    • https://allcreaturesinc.com/files/files/29660436763.pdfIn PDF document text
    • https://careerroots.net/ckfinder/userfiles/files/91847384085.pdfIn PDF document text
    • http://quickfix-poland.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613567f26f20a---14804288381.pdfIn PDF document text
    • http://studiotecnicolari.it/userfiles/files/zowozuseta.pdfIn PDF document text