Malicious PDF — malware analysis report

Static analysis result for SHA-256 80cd7273c92eb6e1…

MALICIOUS

PDF

81.8 KB Created: 2021-07-20 12:22:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: a91d4c629ce0b6bb090fed35d83d6cbb SHA-1: a2fd9b49f057de6e1ae31e032c7944ee6dc4a59b SHA-256: 80cd7273c92eb6e10a078240c9acfb8c87d8d207e54d35129e6d5fd5520b7296
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains numerous links pointing to compromised WordPress sites, which in turn host other PDF files. This suggests a link farm or redirection scheme designed to lead users to malicious content. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports a phishing or trojan distribution intent. No scripts were extracted, but the structure indicates a malicious document likely intended for initial access via spearphishing.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3290

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://xn--b1ahhafccpgkb2bxo.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/d27806f91a3b0ddac3d517622f206659/38542091569.pdf In PDF document text
    • http://bogelaipigeon.com/upload/file/ruxot.pdfIn PDF document text
    • http://makaeximworld.com/wp-content/plugins/formcraft/file-upload/server/content/files/160acb2e50b473---19099236680.pdfIn PDF document text
    • http://thanhlamresort.vn/wp-content/plugins/formcraft/file-upload/server/content/files/1606f683a9942b---67571728491.pdfIn PDF document text
    • https://atlasautoglass.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ba92cd18660---11550478234.pdfIn PDF document text
    • http://kaufdeinauto.de/wp-content/plugins/formcraft/file-upload/server/content/files/160e5c7264c034---22637507457.pdfIn PDF document text
    • https://proff-doors.ru/wp-content/plugins/super-forms/uploads/php/files/a9b2b3a56df2c79f3517a3f95cd55f44/40822694123.pdfIn PDF document text
    • http://thienminhgroup.com/uploads/userfiles/file/gunivatemebowep.pdfIn PDF document text
    • https://mebelpozakazu.ru/wp-content/plugins/super-forms/uploads/php/files/c42bf5f44bffd9ecd5adf56a7fec8af8/ziwikemoxisibemakavuk.pdfIn PDF document text
    • http://erex.hu/upload/file/30445668779.pdfIn PDF document text
    • https://kar360.com/resimler/files/bikiligamubiwumekemimetu.pdfIn PDF document text
    • https://orkhaconstruction.com/wp-content/plugins/super-forms/uploads/php/files/f8krsnemhipr751ev1ger7q342/28418490408.pdfIn PDF document text
    • https://www.potterycommercials.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16085e72e78c19---44100686481.pdfIn PDF document text
    • http://tccsrl.org/userfiles/files/48582723477.pdfIn PDF document text
    • http://banghetretunhien.com/media/ftp/file/97234778139.pdfIn PDF document text
    • http://www.cda.org.hk/ckfinder/userfiles/files/17108373345.pdfIn PDF document text
    • https://www.kadinlarsitesi.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607288f7054a3---97879608407.pdfIn PDF document text
    • http://aeskulap24h.de/wp-content/plugins/formcraft/file-upload/server/content/files/16075a95450826---wikofegowojatatasuzi.pdfIn PDF document text
    • https://atlanthealth.com/wp-content/plugins/super-forms/uploads/php/files/28542099f95c10156661793900ef7d9f/woxebobelobaner.pdfIn PDF document text
    • https://haps.company/wp-content/plugins/super-forms/uploads/php/files/9jj7ubhkpgg7f87argoo5fh1j2/lowoxufovevifoku.pdfIn PDF document text
    • https://bilalyapidekorasyon.com/userfiles/file/xafesom.pdfIn PDF document text
    • https://www.hadlowsecurityshutters.com/wp-content/plugins/super-forms/uploads/php/files/f75bcc74659f346e56b3d1a5894c0922/51819225738.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/LPIa9PGmDLg/uplcv?utm_term=best+alarm+tone+download+for+heavy+sleepersPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e3a7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE3A7 10988 bytes
SHA-256: e474062bbf4e10cdc892d16b902e0d873ca5526b66fee73517b930ea670e2496
font_01_sfnt_off0000fd1e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFD1E 17676 bytes
SHA-256: cdf642fccbd91db9852c778c5ce11872214aad2d04142e2b213930b29890126d
font_02_sfnt_off00012bb1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12BB1 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.