Malicious PDF — malware analysis report

Static analysis result for SHA-256 86cc869a98a39d42…

MALICIOUS

PDF

57.2 KB Created: 2021-09-17 00:34:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-16
MD5: c398c5262bc7e4ecfefa81fb693ee771 SHA-1: c59372efad437bed0542b26358af103e60afce5b SHA-256: 86cc869a98a39d42b8b747431673869cf26e883d9b0a27c39723731a51b32233
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and a significant number of external links, many pointing to compromised WordPress sites. These links form a link farm, likely intended to redirect users to phishing pages or download further malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8244

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cructi.ru/uplcv?utm_term=the+walking+dead+season+1+episode+1+english+subtitles+watch PDF link annotation
    • https://www.thecandystoresudbury.com/wp-content/plugins/super-forms/uploads/php/files/g25ljfuhhjp86qa13lbq5j217n/94883093070.pdfIn PDF document text
    • http://alwaysshine.com/fileimage/file/vesotalapolumowok.pdfIn PDF document text
    • http://intechsol.kz/wp-content/plugins/formcraft/file-upload/server/content/files/16133898d3c0ea---suginibo.pdfIn PDF document text
    • http://www.dadosefatos.net.br/wp-content/plugins/formcraft/file-upload/server/content/files/16133899fe6c64---17898343049.pdfIn PDF document text
    • http://cokhixnktientien.com/Images_upload/files/pusizavapifonis.pdfIn PDF document text
    • https://vietnam-pump.com/userfiles/file/48471901063.pdfIn PDF document text
    • http://guowangcable.com/d/files/82267325094.pdfIn PDF document text
    • http://osmed.cz/app/webroot/files/files/65528469604.pdfIn PDF document text
    • http://twozonechickenlasvegas.com/uploads/files/lusigalijikakodinimivub.pdfIn PDF document text
    • https://agsposure.org/wp-content/plugins/super-forms/uploads/php/files/455ba48ee0d9b1db778486769561a54c/toruxifubarufaxunerez.pdfIn PDF document text
    • http://peoplefineart.com/assets/202109/files/20210908110332981223.pdfIn PDF document text
    • http://dobraukraina.org/sites/all/sites/dobraukraina.org/files/87929570931.pdfIn PDF document text
    • http://envigest.cz/upload/file/gedosibakoxop.pdfIn PDF document text
    • http://dangkykinhdoanhkiengiang.com/upload/ck/files/tarafawijebejupofus.pdfIn PDF document text
    • https://maloneslandscape.com/wp-content/plugins/formcraft/file-upload/server/content/files/1614219adaf438---17035817117.pdfIn PDF document text
    • https://psychologgia.pl/Upload/file/76906524564.pdfIn PDF document text
    • http://drprdesaihospital.com/uploads/peduxumasepasoxu.pdfIn PDF document text
    • https://shen-su.eu/gfx/userfiles/files/tapajogi.pdfIn PDF document text
    • http://kaies.cn/upfiles/210910045935765464rshng4.pdfIn PDF document text
    • https://pikewallis.no/wp-content/plugins/formcraft/file-upload/server/content/files/16143b64ed0461---zijuwetaxoriketujebavepis.pdfIn PDF document text
    • http://apvn.info/userfiles/file/35004708617.pdfIn PDF document text
    • https://detector-billetes.com/Imagenes/file/lazazasek.pdfIn PDF document text
    • https://postele-z-masivu.sk/ckfinder/userfiles/files/31382575949.pdfIn PDF document text
    • https://reaga.net/js/ckfinder/userfiles/files/fedexusemepanevu.pdfIn PDF document text
    • http://kozhencherrymtc.org/userfiles/file/19298998990.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c8bd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC8BD 11124 bytes
SHA-256: 3607cba1dc68ff5bb6d93c46718a965f58a386a9889ac4b823d8c6b72927036f