Malicious PDF — malware analysis report

Static analysis result for SHA-256 879c4c4357fecc1a…

MALICIOUS

PDF

83.5 KB Created: 2021-09-06 23:37:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: a67aa479033dd20df573a0e5ba05db78 SHA-1: f21dcf87b5efa2a1eb065c3e020b4c7b515910ae SHA-256: 879c4c4357fecc1ae41cebe2593300e364de14e61c1449768a04d13a9999c51f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm pointing to multiple compromised WordPress sites, identified by heuristics like 'PDF_SEO_DISPOSABLE_LINK_FARM' and 'PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM'. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or malware delivery. No scripts were extracted, but the structure itself is the attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9430

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.assignproject.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607885ec5cfa4---91963337747.pdf In PDF document text
    • https://feriaesotericadeatocha.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f7d699e077---netuw.pdfIn PDF document text
    • https://tocgia247.com/wp-content/plugins/super-forms/uploads/php/files/ob2l1fd97v4mo3s7f24vuok5dv/21427818665.pdfIn PDF document text
    • https://vizzzio.ru/wp-content/plugins/super-forms/uploads/php/files/b1db82f34a10b6994a87867028045859/9716164116.pdfIn PDF document text
    • https://emenu.hu/editor_up/76145775982.pdfIn PDF document text
    • http://bright-inter.com/file_media/file_image/file/gelinawejabanekelukiki.pdfIn PDF document text
    • http://svaz-podnikani.cz/files/file/xinidimotomigenijemad.pdfIn PDF document text
    • https://harkakotony.hu/UserFiles/file/busififef.pdfIn PDF document text
    • http://poetryforthespirit.com/clients/872464/File/71405207918.pdfIn PDF document text
    • http://xn--b1ahhafccpgkb2bxo.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/eb91bc6fbe124b24b3f15f827effb74c/moforixep.pdfIn PDF document text
    • https://marljivo.hr/userfiles/file/piresomewera.pdfIn PDF document text
    • https://www.diktu.com/wp-content/plugins/formcraft/file-upload/server/content/files/16076b05f27e51---xuduwinumu.pdfIn PDF document text
    • http://bookblog.kr/data/file/files/347944263.pdfIn PDF document text
    • https://www.baust.edu.bd/app/webroot/ckfinder/userfiles/files/xojizagerisowoboxezag.pdfIn PDF document text
    • https://kantankacreative.com/wp-content/plugins/super-forms/uploads/php/files/8ff3a3ec30f36a4a7a558075197a918d/70189968160.pdfIn PDF document text
    • https://sankaibearing.com/userfiles/files/jebesurulu.pdfIn PDF document text
    • https://dezsredstvompx.ru/wp-content/plugins/super-forms/uploads/php/files/e419fde8bc2b575539c56f023b5a880d/danadaw.pdfIn PDF document text
    • http://www.oschouston.com/osc/wp-content/plugins/formcraft/file-upload/server/content/files/160971e0eea8bd---88737342785.pdfIn PDF document text
    • http://meble-tk.pl/userfiles/file/60641999264.pdfIn PDF document text
    • https://ddtoyz.com/ckfinder/userfiles/files/wimejexogaketotade.pdfIn PDF document text
    • http://vigova.vn/Images_upload/files/66696439042.pdfIn PDF document text
    • https://prsnashville.com/wp-content/plugins/super-forms/uploads/php/files/a3c793ecc19d3e123828090363252d7c/46142220220.pdfIn PDF document text
    • http://nowator-zpu.pl/userfiles/file/xawaxujijixadumofiloruku.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1xuhb7AK25c/uplcv?utm_term=uta+biology+degree+plan+2016+pdfPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000edcd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEDCD 18144 bytes
SHA-256: 3d8c09293029c4f0fdf723073f7156ad410430c4474a37694e33205b4e60c600
font_01_sfnt_off00011cdb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11CDB 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off000134f2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x134F2 11228 bytes
SHA-256: a0917ba80b2e87d243e678e5dff770ce8c76af6dc3737d826e2aeea2e0e770d6