Malicious PDF — malware analysis report

Static analysis result for SHA-256 74ce62771610c74f…

MALICIOUS

PDF

59.9 KB Created: 2021-06-13 14:36:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-15
MD5: ee06dad6ff4fea2a025fedd60f5ad23a SHA-1: 648d8b23f4f60019ee65f233de6a1b03c81f2eb3 SHA-256: 74ce62771610c74f505679ff58f496def5f082b35645f84e56c5c7332a0b5b95
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. The document contains numerous links pointing to compromised WordPress upload storage and disposable hosting, suggesting a link farm designed to redirect users to malicious sites. The presence of embedded URLs and the nature of the heuristics strongly indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8123

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://irlanc.ru/uplcv?utm_term=walang+hanggang+paalam+november+17+2020 PDF link annotation
    • http://jrpst.pl/userfiles/file/gekedazirelalukeve.pdfIn PDF document text
    • https://wscnaturalhealings.com/wp-content/plugins/super-forms/uploads/php/files/d67cc4d1a71c80ac024352e232a1d33b/29471165653.pdfIn PDF document text
    • https://www.mercato.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160b865caa8d24---rujujesibafusimifonitix.pdfIn PDF document text
    • http://avtoarka.ru/wp-content/plugins/super-forms/uploads/php/files/7eafea28838eb0d315351f03fdce0a0b/dotarig.pdfIn PDF document text
    • http://aihyang.com/userfiles/file/kakijiwuzu.pdfIn PDF document text
    • https://beribuket.ru/wp-content/plugins/super-forms/uploads/php/files/73dbbe85cb9efd536cb46bb83c20b196/mekozezotaxim.pdfIn PDF document text
    • https://mithermomix.com.mx/wp-content/plugins/super-forms/uploads/php/files/53619c7221442fa786a1873011f59e29/60365781489.pdfIn PDF document text
    • https://bestcoloringpages.com/userfiles/file/duxadokubovupawukotanuwun.pdfIn PDF document text
    • https://shrmivirtual.org/wp-content/plugins/super-forms/uploads/php/files/9577fcca242cc2a6bea50a3c58d11cbd/79091875425.pdfIn PDF document text
    • http://akcjonariusz.com/UserFiles/file/kofewigupelolor.pdfIn PDF document text
    • https://primewestelectrical.com/wp-content/plugins/super-forms/uploads/php/files/7f3af6acba1324984641c2b7f2ecf0fc/judabanevalo.pdfIn PDF document text
    • http://shreejians.com/userfiles/file/gobixokivebipedaju.pdfIn PDF document text
    • https://www.enviedecrire.com/wp-content/plugins/formcraft/file-upload/server/content/files/160912888b110b---varulazupegutonoxexe.pdfIn PDF document text
    • https://alenakovalchuk.ru/wp-content/plugins/super-forms/uploads/php/files/166ce1104faf707c891dc9a46c0919e5/korisevodasiwum.pdfIn PDF document text
    • https://atlasautoglass.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b26adfe0264---44376946466.pdfIn PDF document text
    • http://www.iycadana.org/wp-content/plugins/super-forms/uploads/php/files/ms59m6kf1bvf5c2hqac22c7er5/ninibeja.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d7ee.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD7EE 5672 bytes
SHA-256: 16cdf014878ed2957f51dacab90cb5df02aa751e8da95e09c725fd40122384c6

Open this report in the interactive analyzer, or submit your own file for analysis.