Malicious PDF — malware analysis report

Static analysis result for SHA-256 75f1a8cec2ec449d…

MALICIOUS

PDF

73.6 KB Created: 2021-06-09 09:18:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: 752ef2157ec61050c8626a6ce62e39d1 SHA-1: bcd249d5e7a97681e5eccae7c975b97965badf9e SHA-256: 75f1a8cec2ec449d8e633f69268a9b96f25f8736b871837ff6fcd12202c0cc9f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier. It contains a link farm pointing to multiple compromised WordPress sites, likely intended to trick users into downloading software. The presence of PDF_URI and PDF_SEO_DISPOSABLE_LINK_FARM heuristics further supports the phishing and link farm attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9794

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cructi.ru/uplcv?utm_term=vidmate+pc+setup+exe PDF link annotation
    • https://qboardapp.com/wp-content/plugins/super-forms/uploads/php/files/bc6107c2a6fa3ff6a86cabf23f87093f/vebetapezemesefaxe.pdfIn PDF document text
    • https://area34.info/wp-content/plugins/super-forms/uploads/php/files/hrtdj49fvar9jfl0vv5okjnpl6/rofulovilupasezijelanim.pdfIn PDF document text
    • https://t4g.nasscomfoundation.org/wp-content/plugins/super-forms/uploads/php/files/imusi97h8p5mim1604cmvp9rp4/vukuzidusazomobixixizuw.pdfIn PDF document text
    • https://www.ibyservice.com/wp-content/plugins/super-forms/uploads/php/files/ca9372b9af75b00d168cc0e1eaeedb66/puwovojutajuxiku.pdfIn PDF document text
    • http://3handseg.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608d0581c9f5a---napalasugunazojuzov.pdfIn PDF document text
    • http://www.chinahkcarplate.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609bde47b5bd7---19507545771.pdfIn PDF document text
    • https://laxmigrouppune.com/wp-content/plugins/super-forms/uploads/php/files/833fb9c30d90f1b6145e50ab2625ac36/93943982692.pdfIn PDF document text
    • http://bajajsports.com/userfiles/file/40153764462.pdfIn PDF document text
    • https://arihantgranites.in/wp-content/plugins/super-forms/uploads/php/files/6m7i7h9t6ohtlvhm1qtmc0dhr6/foxudekaxixuwobafivumoba.pdfIn PDF document text
    • http://ontheedgeofnow.com/wp-content/plugins/formcraft/file-upload/server/content/files/160784ec1c3ceb---ruwaletovowipifefexi.pdfIn PDF document text
    • http://brightwayconsultancyservices.com/userfiles/file/26327872491.pdfIn PDF document text
    • https://www.lenoir-elec.com/wp-content/plugins/super-forms/uploads/php/files/ppnlkdckvmkohbsaba6c3ppcsb/boxefasogapeworarup.pdfIn PDF document text
    • http://www.olympussverige.se/wp-content/plugins/super-forms/uploads/php/files/j56tt1qrf4794u04fuoahencc1/23353614607.pdfIn PDF document text
    • http://sns.hu/_user/file/rizotowisatawudaf.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec18.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEC18 5124 bytes
SHA-256: c4eff0776bd917ec5be969879a699c325056f356a5511cb496576ba8a80bb5c2
font_01_sfnt_off0000fd77.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFD77 14096 bytes
SHA-256: 40e0748ff9155a11adde3588bb480a1201e4eea5d7cd733c804120e2b9e3968b