Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f5f9650c9262b79…

MALICIOUS

PDF

62.2 KB Created: 2021-09-13 15:16:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26
MD5: 95bc73583b1082d00e124b0ade7444ad SHA-1: 57951542e2ca68e714c958fd3ceeaca3eda168a4 SHA-256: 7f5f9650c9262b79db8d272c97f63f925144464aa4c07f8eb3995403bccbad97
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript, which is a common technique for executing malicious code. It also features numerous external links, many pointing to compromised WordPress uploads or disposable hosting, suggesting a link farm designed to obscure the ultimate destination. ClamAV detection and ML classification further support its malicious nature, likely as a phishing or malware delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7193

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://hyunsin.net/userfiles/file/susepidetilin.pdf In PDF document text
    • http://alexlunacoach.com/img/editor/file/wajutuvexilad.pdfIn PDF document text
    • http://top1np.com/ckfinder/userfiles/files/34938849127.pdfIn PDF document text
    • http://project-lovcen.me/userfiles/file/gutuvixizusetofuzomuzo.pdfIn PDF document text
    • http://riskhedgetech.com/uploaded/file/436170574612ec44c0231c.pdfIn PDF document text
    • https://thieumaunao.vn/workspace/develop/uploads/ck_upload/files/dejufopub.pdfIn PDF document text
    • http://creaorganization.com/depo/sayfaresim/file/kukumalu.pdfIn PDF document text
    • http://www.valaisconsulting.ch/file/gidenopawabareb.pdfIn PDF document text
    • http://alituncer.com/userfiles/file/69769990766.pdfIn PDF document text
    • http://friend5190.xyz/js/ckfinder/userfiles/files/64338715321.pdfIn PDF document text
    • http://kaus21.com/userData/board/file/mizaxibuwulonixo.pdfIn PDF document text
    • https://www.yoursurveysurveyors.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16137fb9d76ed0---poduvakoka.pdfIn PDF document text
    • https://amartzon.store/wp-content/plugins/super-forms/uploads/php/files/65b836541a99b33b4d34ed085afa93b1/66764496812.pdfIn PDF document text
    • https://ehlibeytalimleri.com/resimler/files/58856222745.pdfIn PDF document text
    • http://kimhoatra.com/upload/fckimagesfile/xuxakazikapowo.pdfIn PDF document text
    • http://www.fotografoeventimilano.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613980cfa1ea1---24164404939.pdfIn PDF document text
    • http://doanekeyes.com/userfiles/docs/laziro.pdfIn PDF document text
    • https://vietnam-pump.com/userfiles/file/rupupejejavako.pdfIn PDF document text
    • http://naturabliskociebie.pl/userfiles/file/81434709983.pdfIn PDF document text
    • https://melz-feu.ru/upload/xadasasowunefurotafijir.pdfIn PDF document text
    • http://detskypohar.cz/upload/file/jadak.pdfIn PDF document text
    • http://www.physedu.in/newsite/userfiles/files/jemejawizexi.pdfIn PDF document text
    • https://divanich96.ru/admin/ckfinder/userfiles/files/wusexipi.pdfIn PDF document text
    • http://khodahoanglang.com/admin/webroot/upload/image/files/60096005082.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/fzgW7-mxBc0/uplcv?utm_term=essentials+of+biology+6th+edition+pdfPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d60b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD60B 11080 bytes
SHA-256: 34bc202f100fe23677763601807cf97a7c7c8dd2ab786598230b75f3e1f05d44