Malicious PDF — malware analysis report

Static analysis result for SHA-256 78f56e6aa01a813d…

MALICIOUS

PDF

74.8 KB Created: 2021-09-05 00:37:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 680ff073853e5c1204a8de18fed6a46b SHA-1: b80c5d4d4646430597212d0d890ea18666de906e SHA-256: 78f56e6aa01a813dad69a882bf7152d98b6a4a43245452eb8818a5f58c2ad3ca
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous embedded URLs, many of which point to compromised websites or disposable hosting, indicating a link farm designed to redirect users. ClamAV detected this file as 'Pdf.Phishing.Trojan', suggesting a phishing or malware distribution intent. The presence of external URIs and link farms points towards a phishing or initial access vector.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4800

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://inspiredindianfoundation.org/uploads/53853482974.pdf
    • http://bitree.net/ckfinder/userfiles/files/totijirosasenilebepimavu.pdf
    • http://yamamatoen-wanwan.jp/ckfinder/userfiles/files/pogareg.pdf
    • https://plumcourse.com/wp-content/plugins/super-forms/uploads/php/files/a93ef3e632b617911e49d586ff77f133/wilinidadabawofurulekuwam.pdf
    • https://handientu.vn/userfiles/file/58766943967.pdf
    • http://raduzhniy.com/wp-content/plugins/formcraft/file-upload/server/content/files/16126d9370cdf6---49195401434.pdf
    • https://oddluzanie.net/userfiles/file/difobakoz.pdf
    • https://aannemingsbedrijfbarthulsbosch.nl/userfiles/file/24257339768.pdf
    • https://yarsan.ru/wp-content/plugins/super-forms/uploads/php/files/accfc26cd78901f6f7b4b926fecad492/sogofilof.pdf
    • http://inruho.ru/ckfinder/userfiles/files/52789038593.pdf
    • https://www.officinadelgustoroma.com/wp-content/plugins/super-forms/uploads/php/files/2efef165124e5cb7eb7a92f61825f23c/21995353386.pdf
    • http://www.ponderosafestival.com/wp-content/plugins/formcraft/file-upload/server/content/files/16133dfa8c782a---74478911213.pdf
    • https://alcc.vn/wp-content/plugins/super-forms/uploads/php/files/kkpdqa682u047ajabo3omcuu8f/68012536655.pdf
    • http://xinge168.com/uploads/files/20210818053251_754210.pdf
    • https://lederstuehle-shop.de/ckfinder/userfiles/files/36504704897.pdf
    • https://hostsolutions.ro/app/webroot/files/userfiles/files/27241268346.pdf
    • https://www.officinadelgustoroma.com/wp-content/plugins/super-forms/uploads/php/files/b6f3799ea63acf4153b7aadd33536306/wiravaxak.pdf
    • http://dekogard.net/deko/veri/_files/48951863972.pdf
    • http://raykingcarroll66.com/clients/2/29/292092747e06e0ab09130fa737b110c0/File/47145168198.pdf
    • https://cylinder96.ru/admin/ckfinder/userfiles/files/wasuzifadifijebamaba.pdf
    • http://thuonghieutoancau.vn/uploads/files/nefepigisilavilidugarunad.pdf
    • http://wdnederland.nl/file/1940873928.pdf
    • http://antwerp-rentals.com/wp-content/plugins/formcraft/file-upload/server/content/files/16083beaf5dec2---niserugul.pdf
    • http://kiuruvedenlukio.fi/tiedostot/file/90005043380.pdf
    • http://prplus4u.com/ckupload/files/71006664120.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/3CAf4wW3hvY/uplcv?utm_term=how+to+convert+document+to+pdf+on+mac
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d083.bin
4326c2f32b622b8ca49cd5370c85cdb980f8aa25b574e3df61026fc5a67274e2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD083 17108 bytes
font_01_sfnt_off0000fc77.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC77 16792 bytes
font_02_sfnt_off0001148e.bin
d58dc1857520b1a81121f8aebf57d968469841788bf0722302a495fc438c8ad9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1148E 10716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.