Malicious PDF — malware analysis report

Static analysis result for SHA-256 7c44a8187a45c88a…

MALICIOUS

PDF

63.6 KB Created: 2021-06-05 21:08:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-17
MD5: 754d98feb06851a2bb7cb8d0f4bcc7ec SHA-1: e96f90583cda106c525ba48c0765b258d4cfebea SHA-256: 7c44a8187a45c88ada38ea28ad8953ded4279daef87647661bd864862e9a8f79
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It functions as a link farm, containing numerous URLs that point to compromised websites and disposable hosting. The embedded document body text, though partially corrupted, includes a search term suggesting a lure for users seeking specific content, which is then redirected through these malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8681

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://irlanc.ru/uplcv?utm_term=ishq+mein+marjawan+2+serial+title+song+download+mp3 PDF link annotation
    • https://forex-robo.org/wp-content/plugins/super-forms/uploads/php/files/8d42c22480a48bfdd3e88dd846f03012/82934322869.pdfIn PDF document text
    • https://webmodeli.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607feafe781a5---34767374901.pdfIn PDF document text
    • http://xn--90ad5ackt1d.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/787a63dba4dbe17c32b18094f0e10ddc/74272146536.pdfIn PDF document text
    • http://xperion.hu/wp-content/plugins/super-forms/uploads/php/files/1179379505cf41c9b93420af041d0573/92601663055.pdfIn PDF document text
    • https://sharzh-ufa.ru/wp-content/plugins/super-forms/uploads/php/files/13532309d2a1d7d5fdb8761afe077cfe/55259538016.pdfIn PDF document text
    • https://lisacutler.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a69b02b8805---14608370545.pdfIn PDF document text
    • https://pabausa.org/wp-content/plugins/formcraft/file-upload/server/content/files/16098c16e6f38d---favumugisokikus.pdfIn PDF document text
    • https://kamber.dk/wp-content/plugins/super-forms/uploads/php/files/f0149dae515fe7524c11ca001f0d74ed/nelet.pdfIn PDF document text
    • http://www.driftime.ee/wp-content/plugins/formcraft/file-upload/server/content/files/16087404abee57---9287173875.pdfIn PDF document text
    • http://accessiblevehicleservices.com/userfiles/file/52063795689.pdfIn PDF document text
    • http://kokocurry.gm/userfiles/file/zijamezuwurir.pdfIn PDF document text
    • https://ccveg.org/wp-content/plugins/super-forms/uploads/php/files/1sq1qj92h14n2moj67b8t7aav0/66518547674.pdfIn PDF document text
    • http://nail-free.com/ckfinder/userfiles/files/vorokilinipuzivilewarad.pdfIn PDF document text
    • http://pulsrmedia.com/wp-content/plugins/formcraft/file-upload/server/content/files/160aa3fdbdd759---leworamaxipoxegavujufepab.pdfIn PDF document text
    • http://mmckno2010.zkosuchdol.info/files/44356829286.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dccf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDCCF 5900 bytes
SHA-256: 5e24188d6aeeae9fba1e37844e3c0b9715e44d1f1ee872e317e7d1a261197caa