Malicious PDF — malware analysis report

Static analysis result for SHA-256 7d02c9b8a2d2b1b4…

MALICIOUS

PDF

78.1 KB Created: 2021-04-27 22:08:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 04964392170b6c45377b41d4583522d8 SHA-1: 09e7353a7b3173072581e0e389161095fe490260 SHA-256: 7d02c9b8a2d2b1b4135b63ece991a6c265c8e07ef0e7b88debc09881c8878035
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was identified as malicious by ClamAV and an ML classifier, indicating a phishing or trojan threat. It functions as a link farm, containing numerous URLs that point to compromised WordPress sites, likely serving as a distribution point for further malicious content. The presence of multiple links to compromised CMS upload directories suggests a coordinated effort to host and distribute malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8126

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://creativesilhouettes.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1606f0d3b49dfd---muxuzefuraporav.pdf
    • https://wilsonbarrera.com/inicio/wp-content/plugins/formcraft/file-upload/server/content/files/1607501dd7eb31---41926976147.pdf
    • https://www.nuyew.academy/wp-content/plugins/super-forms/uploads/php/files/84269caa1495495b115cf0824dc86ba5/56472911872.pdf
    • https://www.autodepotperformancegroup.ca/wp-content/plugins/super-forms/uploads/php/files/llbd4b9pgtqerq86sudi0fe5vv/21666870481.pdf
    • http://bagandpack.ru/wp-content/plugins/super-forms/uploads/php/files/a209f7456aadde8bc09d2f48080be383/78635637576.pdf
    • http://metzpaintings.com/wp-content/plugins/formcraft/file-upload/server/content/files/16080e947b36a7---sefuzajikufimudo.pdf
    • https://www.lightingsolutionsinc.net/wp-content/plugins/super-forms/uploads/php/files/88123b33bae3e0b851be88a13d9e7a99/79301267908.pdf
    • http://www.eflox.net/wp-content/plugins/formcraft/file-upload/server/content/files/16077f236b146b---gegolefudanej.pdf
    • https://www.synergyheart2heart.team/wp-content/plugins/super-forms/uploads/php/files/qj8ggsncoojbr2pd7puk5u01td/67652498916.pdf
    • https://broadstripe.com/wp-content/plugins/super-forms/uploads/php/files/38dc1e4bce9a8acfcf1a5a65dc8a9fa4/57457265871.pdf
    • http://lalitas-thaimassage-spa.de/wp-content/plugins/formcraft/file-upload/server/content/files/160794e5fa7f24---72154292811.pdf
    • https://trsbarriersdirect.com/wp-content/plugins/super-forms/uploads/php/files/kovo8nge2vrtpn6agkpo085dcp/30729766221.pdf
    • http://www.thebetterinsurance.com/wp-content/plugins/formcraft/file-upload/server/content/files/16085c85935012---mepezurovut.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/Uplcv/~3/BvfzZFkJO3s/uplcv?utm_term=jays+booter+free
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012593.bin
1c5882b86b97ee0d4aa0482dbd3134aa96d6929f1af7f8a50336383b3ef0fbe7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12593 4596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.