Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c81d91017cb0386…

MALICIOUS

PDF

64.0 KB Created: 2021-09-04 20:55:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 087f2ef94f1ea305667649ecae1f3691 SHA-1: 190b528103458e15d8b919d871f0d6ae2f3da938 SHA-256: 6c81d91017cb03868374d1aea38a41da9369c1a631f0eb5cdda71394764dca39
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample was detected by ClamAV as a phishing trojan. It contains embedded JavaScript and a large number of external links, many of which point to compromised WordPress sites or disposable hosting, suggesting a phishing or malware distribution attempt. The presence of embedded JavaScript indicates an attempt to execute malicious code within the PDF viewer.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5438

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://123kozijnofferte.nl/wp-content/plugins/super-forms/uploads/php/files/6sd55ppbpbh6a688d4ugcb2fl6/jodilolusemevilufimu.pdf
    • http://plenaadoracao.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160e9755d2b78c---44173206379.pdf
    • http://hrudolf.com/userfiles/54595800666.pdf
    • https://ocvirapuato.com.mx/wp-content/plugins/super-forms/uploads/php/files/36a38c0cb3586e7d652127c747ec1d97/kesimowamotiwomopezotixe.pdf
    • http://ufnk.fr/app/webroot/files/file/41224387132.pdf
    • http://webdulich.com/js/ckfinder/userfiles/files/tuvaxunebamesisubuzik.pdf
    • https://hacunamatata.ru/wp-content/plugins/super-forms/uploads/php/files/a09833fca0d2ee01f949b35fc67d243a/rimujogixewuwiwawinigu.pdf
    • https://glass-haus.ru/wp-content/plugins/super-forms/uploads/php/files/ec4f8655baa06e6b455d71e5041ac097/kujinuruwetumopowejosowim.pdf
    • https://ochronaskory.pl/pliki_user/File/minotokijukabuto.pdf
    • https://www.varishastalari.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608a61b97a6df---gipupokotizadisuvatar.pdf
    • https://pluviaterra.mx/wp-content/plugins/super-forms/uploads/php/files/ee7c515a2cd6ae3c6b93cfa839a89a2e/dakukobenanavem.pdf
    • http://kasargod.net/uploads/file/90035729003.pdf
    • http://wingmanplanningdemo.com/userfiles/files/96015848088.pdf
    • https://pepsima.biz/files/file/31286851289.pdf
    • https://gk-termopanel.ru/wp-content/plugins/super-forms/uploads/php/files/b07ee1fcd94142408fcb19a48ab3d2dd/65110123561.pdf
    • http://tmkb.org.tr/ckfinder/userfiles/files/pinid.pdf
    • http://anm-av.de/uploads/files/wotegovanorejipaludejo.pdf
    • https://oneremote.ru/wp-content/plugins/super-forms/uploads/php/files/e578ba8fe01c6e5d09eb9fbe4bf4c7f2/33268208883.pdf
    • https://bikinibody.be/wp-content/plugins/super-forms/uploads/php/files/63bj0lj55ujb5e9tkg5vg2a7su/64004687865.pdf
    • https://wacee.net/wp-content/plugins/formcraft/file-upload/server/content/files/160f06deed787d---39995244860.pdf
    • https://www.bouwenaaneensterkwerkgeversmerk.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16071d11a33b15---56625277117.pdf
    • https://yarsan.ru/wp-content/plugins/super-forms/uploads/php/files/18b9df6526fac848d42fc78a4837ebd0/fabewunogebupud.pdf
    • http://thegroverestaurantnj.com/userfiles/files/woxutanofukaladolev.pdf
    • https://www.tessilgiada.it/wp-content/plugins/formcraft/file-upload/server/content/files/16076bcc69425b---29741414467.pdf
    • http://perles-del-beya.com/userfiles/file/rewemorurajadamibuviwapag.pdf
    • http://fixafilm.se/userfiles/file/72335753187.pdf
    • https://hoffmanowska.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160885cff83e38---26997370753.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BvfzZFkJO3s/uplcv?utm_term=roland+cube+street+ex+manual+pdf
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e34a.bin
b9e09f1ffce92d47058e5d4579ad47f8149466011dd2f5d51bc62f320fbb5952		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE34A 11076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.