Malicious PDF — malware analysis report

Static analysis result for SHA-256 7e36995f6d589ce8…

MALICIOUS

PDF

80.0 KB Created: 2021-09-02 10:08:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-23
MD5: d0278bbddb47f13bef307c0ee73fed37 SHA-1: cf6b552cd5917aafb842eab46b16bc9e760d8d57 SHA-256: 7e36995f6d589ce8b83cb1ad6b25d17afaa6d64a687d9a614d14420d5be15721
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains embedded JavaScript and numerous external URIs, many of which point to compromised websites or disposable hosting, suggesting a link farm designed to redirect users to malicious content. The presence of embedded JavaScript indicates potential for further exploitation or payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8764

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://0930actress.com/files/files/18710427157.pdf In PDF document text
    • http://brothersaluminium.com.np/wp-content/plugins/formcraft/file-upload/server/content/files/160893e325c433---niwuxop.pdfIn PDF document text
    • https://lacaune.hu/userfiles/file/81859349423.pdfIn PDF document text
    • https://callhfelectric.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b1a5653411---66580914073.pdfIn PDF document text
    • http://adams-gold.ru/archive/image/file/kuxuredemisopejimujago.pdfIn PDF document text
    • https://sitebyside.ru/wp-content/plugins/super-forms/uploads/php/files/f12bcc97e6689ee9177f390fc231f094/xibezimuxolenuzil.pdfIn PDF document text
    • https://avenirpourtous.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160bf6355b73a4---98371062964.pdfIn PDF document text
    • http://guides2alpes.fr/uploads/file/51039978728.pdfIn PDF document text
    • https://cashmeredreams.com/wp-content/plugins/super-forms/uploads/php/files/333ad2e95a75f16baac7221b1a735fad/94519912563.pdfIn PDF document text
    • http://ngpsusa.com/wp-content/plugins/super-forms/uploads/php/files/159sqougvoon7eig377pdio4g0/62282939768.pdfIn PDF document text
    • http://grupophi.es/uploads/files/71310554596.pdfIn PDF document text
    • http://reiki-roots.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1609491046ac9c---rotirelagetejuv.pdfIn PDF document text
    • https://www.stamfordtaxis.com/wp-content/plugins/super-forms/uploads/php/files/9angsolnv8gem8ndq2cr0lm3pu/78515990399.pdfIn PDF document text
    • https://harpethvalleypto.org/wp-content/plugins/super-forms/uploads/php/files/d7c9e313ac17b20ebae13d147c141ad8/segeli.pdfIn PDF document text
    • https://www.webhisto.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160a5eaa06d9ef---zofopovobubasufe.pdfIn PDF document text
    • https://cargotavio.ru/files/file/72764644878.pdfIn PDF document text
    • https://gilbertems.com/videos/file/kivepetafunubipojunejo.pdfIn PDF document text
    • https://charlesstreetvideo.com/userfiles/file/67788997484.pdfIn PDF document text
    • http://floral-design-lindgens.de/userfiles/file/galipuwatowodugijeb.pdfIn PDF document text
    • http://amsaneeraus.fi/userfiles/files/95333185147.pdfIn PDF document text
    • http://www.sunarmisir.com.tr/wp-content/plugins/super-forms/uploads/php/files/ti8jedi5rqbled900n5s8okks2/bidofilexupafunonopogo.pdfIn PDF document text
    • http://w3-japan.com/js/upload/files/kovoviw.pdfIn PDF document text
    • http://global-insurance-broker.de/downloads/61619512113.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/FevRqgeaUVY/uplcv?utm_term=ruth+bader+ginsburg+years+on+supreme+courtPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fe7f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFE7F 11316 bytes
SHA-256: 11f3e166bd3c4b44d52333e0c077036566e3e4af0e9d867c5c55d5b8d984ef6f
font_01_sfnt_off00011884.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11884 17552 bytes
SHA-256: a96f6acefd534178d296bb317b7350ea80dc0436820999cb6a1e7addfe319749