Malicious PDF — malware analysis report

Static analysis result for SHA-256 7774bfc4b28c4568…

MALICIOUS

PDF

91.8 KB Created: 2021-09-04 02:15:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-23
MD5: 1bfb59f5275fb604e08675ee4e1fb31b SHA-1: 91317c74444cd6d2238be771b9ab5b31164f3eca SHA-256: 7774bfc4b28c456810658b3802ce8e8cd7613b84210be4a301e27ff6691a8146
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link

The PDF file contains numerous links to external websites, many of which are hosted on compromised or disposable domains, indicating a link farm designed to direct users to potentially malicious content. The ClamAV detection and ML classifier further support its malicious nature, classifying it as a phishing trojan. No scripts were extracted, but the primary attack pattern involves luring users through these embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5750

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://devcons.org/uploads/userfiles/files/41289481563.pdf In PDF document text
    • https://mercedesmazo.es/wp-content/plugins/formcraft/file-upload/server/content/files/1612419ef1272f---33157310403.pdfIn PDF document text
    • https://sealskinz.ru/files/file/madototebatefe.pdfIn PDF document text
    • https://cradlegold.com/wp-content/plugins/super-forms/uploads/php/files/im6gtb4tqfg0d9kqq5q5eisi51/befugesutumerusadesowofo.pdfIn PDF document text
    • http://iccj.jp/images/uploads/fckeditor/file/57368788093.pdfIn PDF document text
    • http://dighakanchaninternational.com/FCKeditor/file/31425240020.pdfIn PDF document text
    • https://citronixdeflection.com/nbloom/fckuploads/file/fenenunosexipupakazazopar.pdfIn PDF document text
    • http://oldmotorsclub.com/files/file/9715791612.pdfIn PDF document text
    • https://www.sacproblemleri.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087b9e7ad85a---suwogumawibizejoturetok.pdfIn PDF document text
    • https://zazilha.com.mx/wp-content/plugins/super-forms/uploads/php/files/29b31e19881a6b4feeffb94dfcd37491/80529371188.pdfIn PDF document text
    • http://ingenermarket.ru/userfiles/64835944831.pdfIn PDF document text
    • http://aksaxena.com/bpms/includes/fckeditor_uploads/userfiles/file/92465512746.pdfIn PDF document text
    • http://lotuscourtpune.com/wp-content/plugins/super-forms/uploads/php/files/mtj7vmogskcjedak19la0r55j1/28821710126.pdfIn PDF document text
    • https://tractorpulling-emmeloord.nl/upload/file/71741331631.pdfIn PDF document text
    • http://asqcert.net/files/files/rukesosebirelobewiwunejej.pdfIn PDF document text
    • https://baxsporthorses.com/userfiles/file/giwawarapazolalusip.pdfIn PDF document text
    • http://starrwindow.com/clients/863399/File/dudadusilidaz.pdfIn PDF document text
    • https://daluxerealty.com/wp-content/plugins/super-forms/uploads/php/files/0606f97a6ebf6b40c11d3f31cf4fc529/77910140382.pdfIn PDF document text
    • https://htlexpress.com/ckfinder/userfiles/files/vewavelawutorixogiga.pdfIn PDF document text
    • http://kargiskola.ge/myadmin/ckeditor/ckfinder/userfiles/files/57068353384.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/LPIa9PGmDLg/uplcv?utm_term=dise%C3%B1o+de+elevadores+de+cangilones+pdfPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010865.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10865 10972 bytes
SHA-256: 8237c0b7a04fff0c3d2696afccf2262fd8c38b7d86eedc60310bcc8d9559ae3e
font_01_sfnt_off00012182.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12182 21700 bytes
SHA-256: 77964990c3d3e4a20cb4447435302bdccaa45d8d43aa6d33c6b4a1699082ed82
font_02_sfnt_off000158a0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x158A0 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1