Malicious PDF — malware analysis report

Static analysis result for SHA-256 8655f328a287e28f…

MALICIOUS

PDF

70.3 KB Created: 2021-06-05 06:31:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 16fcf836b850d2ecc1186283fef8e90f SHA-1: 3f201ac4598a129400836765e6c90820c794ca1c SHA-256: 8655f328a287e28fcbcb852394b93014ff6dcd5491ae473ac423a653d56035d1
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF document is classified as malicious and detected as a phishing trojan by ClamAV. It employs a link farm strategy, hosting multiple PDF files on compromised WordPress sites, with one URL specifically mentioning a 'Widevine content decryption module update' to deceive users. The document's structure and embedded links suggest an attempt to redirect users to malicious content or downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8132

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://catamma.ru/uplcv?utm_term=widevine+content+decryption+module+update+ubuntu
    • https://southernlightingsource.com/wp-content/plugins/super-forms/uploads/php/files/554000ad35ffa3508b3d9adc49112950/89321119172.pdf
    • https://www.enviedecrire.com/wp-content/plugins/formcraft/file-upload/server/content/files/160756e215f957---sulidukadesifenegakam.pdf
    • https://www.frankreich-ferien.ch/wp-content/plugins/formcraft/file-upload/server/content/files/16072499552d41---xigorepekedo.pdf
    • http://www.akutrans.com/wp-content/plugins/formcraft/file-upload/server/content/files/16086459e8732d---wogonoxuxodupi.pdf
    • http://leap-egypt.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b773bd94be3---6369971436.pdf
    • https://bladmedyczny24.pl/wp-content/plugins/super-forms/uploads/php/files/97e1a57b2cbcdae6f15a2de33e5d454d/ruresobitazojudifanonawex.pdf
    • http://angelcabrera.com/FCKfiles/file/41652595592.pdf
    • https://dipinkrishna.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f50eea4621---2717618122.pdf
    • http://xn--80aaeiengkwpz6p.xn--p1ai/pub/file/23158960185.pdf
    • http://asesoriagarpe.com/wp-content/plugins/formcraft/file-upload/server/content/files/160abfddb164ac---91968813847.pdf
    • https://fuchscars.com/wp-content/plugins/super-forms/uploads/php/files/be4a62fbe5db0c95e7862837697812e3/xisudibasamugoxig.pdf
    • http://photographybynami.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a3eb5347c47---lamabefofokekofuw.pdf
    • http://www.oknookna.pl/wp-content/plugins/formcraft/file-upload/server/content/files/1607c56d410a34---20612828417.pdf
    • https://www.euroservicemilano.it/wp-content/plugins/formcraft/file-upload/server/content/files/16092d301b4a16---fuzenajamisozikufade.pdf
    • https://veglifekc.org/wp-content/plugins/super-forms/uploads/php/files//758657430.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e5bb.bin
9497aad080b6b89af6de86049a5a4cf2a54cb453db121b26a1a109456656c63c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE5BB 5356 bytes
font_01_sfnt_off0000f7ea.bin
0585a3061d10506381899dc9cfc765943166d98358378bab440442ed4a00b01c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF7EA 10904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.