Malicious PDF — malware analysis report

Static analysis result for SHA-256 7d9104b5920268bd…

MALICIOUS

PDF

92.7 KB Created: 2021-06-21 08:13:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: a833cd2a1bcbfae1b90e322620e8b8b2 SHA-1: 49fbe1b40b9044553fac3e580fc3a36a25325dd5 SHA-256: 7d9104b5920268bd34a0019db0448b68993f859b41481bf9e474a7293779616f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm, many hosted on compromised CMS upload directories. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5144

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.freshstartdigitalmarketing.com/wp-content/plugins/super-forms/uploads/php/files/46ce077c14c12a0a414e4285e311adde/8794237978.pdf In PDF document text
    • http://vilaportugal.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607de0a540fec---venazigamutubumonufa.pdfIn PDF document text
    • https://completecollegestrategies.com/wp-content/plugins/super-forms/uploads/php/files/5cca2074b4998ae5cb7ee93b2d45917c/68340071113.pdfIn PDF document text
    • https://comesa.com.pe/wp-content/plugins/super-forms/uploads/php/files/enllr8ekjn2kqu493dfoa82va6/jajirizevalugugiwul.pdfIn PDF document text
    • http://akkoryazilim.com/userfiles/file/77268401912.pdfIn PDF document text
    • http://kaufdeinauto.de/wp-content/plugins/formcraft/file-upload/server/content/files/16070a0c1ee236---5510680950.pdfIn PDF document text
    • http://al-bandak.com/userfiles/file/12660761672.pdfIn PDF document text
    • http://cuatudongsaigon.vn/uploads/files/95429589543.pdfIn PDF document text
    • https://autoteam.in/ckfinder/userfiles/files/nojebupobiviwabopusoju.pdfIn PDF document text
    • http://leinerpakgelatine.com/survey/userfiles/files/33645388253.pdfIn PDF document text
    • https://stehovani-ostrava.cz/static_pages_files/file/36498439050.pdfIn PDF document text
    • https://rebates.forex/wp-content/plugins/super-forms/uploads/php/files/vkatu9uofjtjegdf27o1mlidi3/78228909039.pdfIn PDF document text
    • http://www.pointcookelectrician.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160a05e12b2189---43302945552.pdfIn PDF document text
    • http://absolutelyneon.com/userfiles/file/doxazevi.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://smc.org.in)MeeraRegularMeera2016SMC7.0.0+20171102HussainIn PDF document text
    • http://smc.org.inhttp://smc.org.inIn PDF document text
    • http://www.indictrans.orgIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/FevRqgeaUVY/uplcv?utm_term=om+shanthi+oshana+subtitles+downloadPDF link annotation
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • https://gitlab.com/smc/meera/blob/master/COPYINGIn PDF document text
    • http://sinhala.sourceforge.net/In PDF document text
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITSIn PDF document text
    • http://www.gnu.org/licenses/gpl-2.0.htmlIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c7bf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC7BF 7916 bytes
SHA-256: b6d8f72b59c47e884b0b6746a25c5cbd96eb494928042fd8f7d2b0ad088f297a
font_01_sfnt_off0000dc1e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDC1E 4032 bytes
SHA-256: a849b76f9363f6e208a6b3b97826a54f7c8e554eb642b232eb64e54d4f8be3d6
font_02_sfnt_off0000ea8f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEA8F 5228 bytes
SHA-256: fc820809ba42770c0d911a48822eedf0983c50d63ca6aa9097a7eafe91823806
font_03_sfnt_off0000fc35.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFC35 2656 bytes
SHA-256: 1620336da6018abf771a3b64a4739dbc5cc5761e5bcfd31f9568e9163b5e6178
font_04_sfnt_off0001073a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1073A 4140 bytes
SHA-256: b7882c459d94d9fb05ee491b72d0ee9c35e8d4bc9ed5787c7a0b3ba78fd6bc86
font_05_sfnt_off00011458.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11458 3048 bytes
SHA-256: e23308bb06bff427f4fe2d795198e016b2e9db23d45fd702446b15ef1a1323d1
font_06_sfnt_off00012064.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12064 2328 bytes
SHA-256: 6d897259d7ab9db79b0dbb16904cd99ff486aa7f4a475590a5d3e44eab6e0eed
font_07_sfnt_off00012b1c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12B1C 2604 bytes
SHA-256: d4cda5a9ecb2558448f754249352cd4d73a8f7efff03060ee9a54ebf713292d1
font_08_sfnt_off000135f4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x135F4 3840 bytes
SHA-256: 869700f7b438b0b0f23cfbf3a170597ae1a6b01e9ba9f60fe7298d5eefb98f81
font_09_sfnt_off00014402.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14402 2108 bytes
SHA-256: b3976ad28991401f3a7e0d936621f3963ed8fd81aff5bedc9e25cf6548b1959b
font_10_sfnt_off00014ddd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14DDD 4336 bytes
SHA-256: 87016e8933cc862d1d188edfbee698abcff8178ed3d6b510b61737ee02f60284
font_11_sfnt_off00015b7d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15B7D 6148 bytes
SHA-256: 0b38f6fd5e0b54bfa22d5adee1cfe00629fe134100fc7cfc1ad14a2ab7974207