Malicious PDF — malware analysis report

Static analysis result for SHA-256 75f483aedde9c69c…

MALICIOUS

PDF

79.0 KB Created: 2021-07-07 00:09:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: e33428230791c7ec19883217c802de6a SHA-1: b84635c8cd61fcc81e85ccd7b2e1a1151dfbe230 SHA-256: 75f483aedde9c69c4d576c507dcbaaa1aa5dd1f61c98e75a3ca3440e2b1b6ca3
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file is identified as malicious by ClamAV with a 'Pdf.Phishing.Trojan' signature. Static analysis revealed multiple heuristics indicating the PDF acts as a link farm, directing users to external URLs hosted on compromised CMS uploads and disposable hosting. These links likely serve as a lure to download further malicious content, fitting a phishing or malware distribution pattern.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2676

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://htapigroup3.com/contents//files/4793507395.pdf In PDF document text
    • http://www.x454.com/wp-content/plugins/super-forms/uploads/php/files/t6vcj0vh0v4ncc8vi5dvimtp50/66505755242.pdfIn PDF document text
    • http://jagatjyotischool.org/jagatjyotischool/userfiles/file/39288457221.pdfIn PDF document text
    • http://lex-ter.ru/admin/ckfinder/userfiles/files/julologajojogabog.pdfIn PDF document text
    • http://ahlhy.com/uploads/file/060208189169.pdfIn PDF document text
    • http://admio.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1607cdaace2fbb---xozepi.pdfIn PDF document text
    • http://flex-link.cn/uploadfiles/files/zezadekovifog.pdfIn PDF document text
    • http://klefmarken.se/upload/file/vivaxorevebu.pdfIn PDF document text
    • https://www.msolartop.cz/wp-content/plugins/formcraft/file-upload/server/content/files/1607d57470d300---lifefasabu.pdfIn PDF document text
    • http://wang023spa.com/userfiles/202107file/2021070205084470554.pdfIn PDF document text
    • http://www.scmphotography.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1607caf6447cf3---bikivuxilunovare.pdfIn PDF document text
    • http://thicongdiennuocmiennam.com/uploads/files/limewu.pdfIn PDF document text
    • http://boracayg.com/FileData/ckfinder/files/20210706_5727A0A55B424E2E.pdfIn PDF document text
    • http://boilerservis.ru/uploads/files/32143506443.pdfIn PDF document text
    • http://files.ibiza-ferien.de/file/guzavizomojulekozebumetu.pdfIn PDF document text
    • https://decoveinvestment.com/userfiles/file/83424013423.pdfIn PDF document text
    • http://averon.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16098a8135dec5---vexekewilem.pdfIn PDF document text
    • http://eraucheta.ru/uploads/file/fegan.pdfIn PDF document text
    • https://www.davidcosz.de/wp-content/plugins/super-forms/uploads/php/files/c9dkau1j3tukdu2c3take8t0cl/difuzalufijifasedanomiseb.pdfIn PDF document text
    • http://www.argentum.com/wp-content/plugins/super-forms/uploads/php/files/ji6h0emhglf6hlgak2olorfdoq/sovix.pdfIn PDF document text
    • https://medtek.vn/storage/file/megumedinomipurixirofimu.pdfIn PDF document text
    • https://agrotehholding.ru/wp-content/plugins/super-forms/uploads/php/files/ab4f837c76d3ac2cc8327895c517e008/99597599809.pdfIn PDF document text
    • http://haniltm.kr/upfiles/editor/files/16117277294.pdfIn PDF document text
    • http://innova-perila.ru/upload/files/pufusujepo.pdfIn PDF document text
    • http://podlahyadvere.sk/editor_uploads/system/files/37201606496.pdfIn PDF document text
    • http://kingcraftviet.com/uploads/ckfinder/files/livudute.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1KS0DP0cxss/uplcv?utm_term=sample+request+letter+to+purchase+an+item+pdfPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000103cb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x103CB 11208 bytes
SHA-256: 5416348526e85f6e3750ef55f9b2a9c5c625988d0cdca204e8a9182eb6d5d07d
font_01_sfnt_off00011d8a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11D8A 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1