Malicious PDF — malware analysis report

Static analysis result for SHA-256 7b625f858e8e7cae…

MALICIOUS

PDF

63.5 KB Created: 2021-09-15 19:19:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: 379dde9ce4bd1418c887fdd9a8ca6763 SHA-1: 1b27f8222bf61641bb84021aba012169139bbd41 SHA-256: 7b625f858e8e7cae8867a6734c0c132834c17f5bd94ec3a3f6ac574c5cd1397c
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and multiple external URIs, many of which point to compromised WordPress sites or disposable hosting, suggesting a link farm designed to redirect users. The ClamAV detection and ML classifier further indicate malicious intent, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5661

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://oniceh.ru/uplcv?utm_term=android+app+to+see+who+is+on+my+wifi PDF link annotation
    • https://gallerylingard.com/uploads/file/14793959668.pdfIn PDF document text
    • http://rucodelniza.ru/userfiles/file/16008510786.pdfIn PDF document text
    • http://www.recetasyconsejos.com/wp-content/plugins/formcraft/file-upload/server/content/files/161343a8d685b7---rofezazepasa.pdfIn PDF document text
    • http://admio.ru/wp-content/plugins/formcraft/file-upload/server/content/files/161318660abd0d---39745004207.pdfIn PDF document text
    • http://kino-cosmik.ru/sadm_files/kibelopodanixudulu.pdfIn PDF document text
    • https://multimetrics.com/ckfinder/userfiles/files/gogilifikatijelekibunone.pdfIn PDF document text
    • https://www.hit-education.com/wp-content/plugins/super-forms/uploads/php/files/eb3d126vndgnp9iofu3okf4g30/xolamivukuzinojovurunefe.pdfIn PDF document text
    • https://cezartravel.hu/userfiles/file/kinuvirexavejerezomigu.pdfIn PDF document text
    • http://thecuriosityshot.com/pizurewixetavuposuj.pdfIn PDF document text
    • http://www.colegiometa.net/home/wp-content/plugins/formcraft/file-upload/server/content/files/1613485f0826a6---98999706420.pdfIn PDF document text
    • http://www.psychophonie-tarbes.com/ckfinder/userfiles/files/81625816783.pdfIn PDF document text
    • https://unique.global/wp-content/plugins/super-forms/uploads/php/files/e24381de5ffa439792126ccc9b459e07/56590997821.pdfIn PDF document text
    • http://www.radanhorse.com/resource/files/pemas.pdfIn PDF document text
    • https://buildingexpertsdirectory.com/ckfinder/userfiles/files/23388540515.pdfIn PDF document text
    • http://nyett.hk/uploads/news/files/bazumeduledavuninag.pdfIn PDF document text
    • http://pck.malopolska.pl/wp-content/plugins/super-forms/uploads/php/files/b5583829d1ecdd43ba73396220d05e43/kufabivitarodupusido.pdfIn PDF document text
    • https://www.denisonlandscaping.com/wp-content/plugins/formcraft/file-upload/server/content/files/16136fef26a2d9---kafoz.pdfIn PDF document text
    • http://www.leesii.com/wp-content/plugins/formcraft/file-upload/server/content/files/16135db65ddf4f---89014958035.pdfIn PDF document text
    • http://cautrucpalang.vn/webroot/img/files/11755636170.pdfIn PDF document text
    • http://worshipedia.mobi/sites/default/files/file/5199882264.pdfIn PDF document text
    • http://cyc.cz/pictures/clanky/files/nukosobofebizopeva.pdfIn PDF document text
    • https://arizonapoolcontractor.com/wp-content/plugins/formcraft/file-upload/server/content/files/16141df730e9da---8123351515.pdfIn PDF document text
    • http://park-seversk.ru/other/js/ckfinder/userfiles/files/72677967090.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000beab.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBEAB 10900 bytes
SHA-256: f711a299d6a6076e04edf8e65fb5f98005060a680aaacd103093b1d6550a0d83
font_01_sfnt_off0000d7ce.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD7CE 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.