Malicious PDF — malware analysis report

Static analysis result for SHA-256 8647298802f41216…

MALICIOUS

PDF

74.2 KB Created: 2021-09-19 13:46:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: 3d63aa9c5cd7d4470f9c1d1925fb585b SHA-1: 05ab7ec0ffdbe4d45c95df6023771ab3037f99f2 SHA-256: 8647298802f412161fec9ffe1c37d3e1a501aee1db4776210e488eb32204f29d
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a large number of links, many of which point to compromised websites or disposable hosting, indicating a link farm designed to distribute malicious content or phish users. The ClamAV detection and ML classifier further support its malicious nature. The primary attack pattern observed is the use of a link farm within a PDF to redirect users to potentially harmful external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6688

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://odlingfamily.com/userfiles/file/nixunulo.pdf In PDF document text
    • https://taumed.kz/upload/2021/09files/210907132442179516g4myn.pdfIn PDF document text
    • http://biosafety.biz/ckfinder/userfiles/files/nogizaniwetunib.pdfIn PDF document text
    • https://learnrkbin.jugalbandiresearch.com/ckfinder/userfiles/files/nuvigotufixowu.pdfIn PDF document text
    • http://pwmtqatar.net/userfiles/file/mejilakomumojamevi.pdfIn PDF document text
    • http://mrhobbscoffee.com/images/uploads/file/42468498641.pdfIn PDF document text
    • http://intertexmedical.com/userfiles/files/2551748140.pdfIn PDF document text
    • https://beautyyaurient.com/editor_upload/file/wenesuwiduxatumisatevolet.pdfIn PDF document text
    • http://lienming-rubber.com/uploads/files/202109160258261112.pdfIn PDF document text
    • https://cleaner.pl/userfiles/file/gitimawetuzulilifadi.pdfIn PDF document text
    • https://rapn.ru/ckfinder/userfiles/files/jikiwedalijaxoxiju.pdfIn PDF document text
    • https://tedvandergulik.nl/userimages/file/69707761338.pdfIn PDF document text
    • https://voziky-paletove.cz/mctree.cz/pictures/other/files/32980954427.pdfIn PDF document text
    • https://tocgia247.com/wp-content/plugins/super-forms/uploads/php/files/bmt9o4lkpev5nqpfh8bs9iprcs/49004339550.pdfIn PDF document text
    • http://cheniou.handysociality.com/upload/files/fuveregemif.pdfIn PDF document text
    • https://www.cocochan.com.pk/wp-content/plugins/super-forms/uploads/php/files/9dcbf6b3fe74900968e1a9dde99c10aa/63883665631.pdfIn PDF document text
    • http://ahjygjg.com/upload_fck/file/2021-9-18/20210918141016172997.pdfIn PDF document text
    • http://www.stratcareerservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613d74779a404---dafobifivetezuvegodiruk.pdfIn PDF document text
    • http://gzcil.com/uploadfile/files/kisajulojoxivosubane.pdfIn PDF document text
    • http://www.dawnrotaryclub.tw/UserFiles/files/lowobukugimubabofajobubog.pdfIn PDF document text
    • http://mgmkt.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16134063c7f209---pukusebumupup.pdfIn PDF document text
    • http://www.belladermeestetica.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16133b7f4ecb7c---29811307123.pdfIn PDF document text
    • http://ajk-opakowania.eu/upload/fck/file/tibotibedavun.pdfIn PDF document text
    • http://zlzljc.com/uploadfile/file///2021090201485679.pdfIn PDF document text
    • http://www.danvillern.com/wp-content/plugins/super-forms/uploads/php/files/208771492958de201c3d54ae73b135bd/73307306287.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/PmAiG5ZyT-k/uplcv?utm_term=download+pinger+apkPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e4b7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE4B7 10480 bytes
SHA-256: b457c0e708023c894f4a0e79821326c2935c5cc80938d4bc635b337fb866e0bc

Open this report in the interactive analyzer, or submit your own file for analysis.