Malicious PDF — malware analysis report

Static analysis result for SHA-256 800ea3adc535d3dc…

MALICIOUS

PDF

71.7 KB Created: 2021-08-26 10:31:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: d1bb3704e7b42f4fa51689c6fac02b03 SHA-1: 23918ea0c288df7a5350abafd84384ca0e9ca478 SHA-256: 800ea3adc535d3dc094932e11cb8600ad77ece0603df5fb7a031338c64e8b14e
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded URLs, many of which point to compromised WordPress installations. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates a pattern of using disposable hosting for a link farm, suggesting an attempt to obscure the true destination or purpose. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports a malicious intent, likely phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7179

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mebelpozakazu.ru/wp-content/plugins/super-forms/uploads/php/files/73c9e395358a8dc04c1d42528db6199c/nopewurefajazevusewamamop.pdf In PDF document text
    • http://erkerlaender.de/wp-content/plugins/formcraft/file-upload/server/content/files/160c03b7c12554---wuxirusoduwaw.pdfIn PDF document text
    • https://m-isc.com/userfiles/file/96431384866.pdfIn PDF document text
    • https://www.officinadelgustoroma.com/wp-content/plugins/super-forms/uploads/php/files/b31a12d24855fb914cb2b9acc0e4b8cb/29202928761.pdfIn PDF document text
    • http://www.majoriscambio.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160795a1730814---wawinu.pdfIn PDF document text
    • https://kamber.dk/wp-content/plugins/super-forms/uploads/php/files/db0cafa585f915419abcf4b8d187e32a/74364049942.pdfIn PDF document text
    • http://themultifold.com/wp-content/plugins/super-forms/uploads/php/files/et3g7h15pimojql5375n2pve66/6162104727.pdfIn PDF document text
    • http://www.alquilerbares.com.ar/wp-content/plugins/formcraft/file-upload/server/content/files/1606d7e3826f3a---59732051993.pdfIn PDF document text
    • https://yunglin.com/uploadpic/files/4201031236.pdfIn PDF document text
    • http://crocepadrekolbe.it/userfiles/files/malejusekiwimetuniv.pdfIn PDF document text
    • http://botosani.ro/img/uploads/file/lovanivoluxurupurumarawa.pdfIn PDF document text
    • https://blsautomation.com/ckfinder/userfiles/files/tajasajujiposemofosed.pdfIn PDF document text
    • https://brahmagnanam.org/fck_uploads/file/14610335563.pdfIn PDF document text
    • http://chromoink.com/updates/file/76225943914.pdfIn PDF document text
    • http://eventcompany.org/clients/e/e3/e30ef11cf4efe639fe6592aa37b9cb94/File/visepitu.pdfIn PDF document text
    • http://www.sempresaude.net/wp-content/plugins/formcraft/file-upload/server/content/files/160c226fe1817b---2278296248.pdfIn PDF document text
    • http://locum-system.pl/userfiles/file/9717558812.pdfIn PDF document text
    • https://alignerco.com/wp-content/plugins/super-forms/uploads/php/files/5a26232bc6ecfa84d0fd26fc9550713e/vivepomevuvepafuzefidunok.pdfIn PDF document text
    • http://domuran.pl/files/file/24623308091.pdfIn PDF document text
    • http://www.sandzthabapanel.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1607660005f61a---41289677376.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/1xuhb7AK25c/uplcv?utm_term=dark+age+red+risingPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dbea.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDBEA 17464 bytes
SHA-256: f16795236422b7a1a188e10e8badbc9a217e072f90d5f09bf5e3ab22a748a547
font_01_sfnt_off000109b7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x109B7 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.