Malicious PDF — malware analysis report

Static analysis result for SHA-256 887d2125f2893b8d…

MALICIOUS

PDF

65.1 KB Created: 2021-09-24 17:20:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-31
MD5: ca606f65eb3cdea99710a193fdf71d12 SHA-1: 5290588493a79539259f10a06798e07908c92401 SHA-256: 887d2125f2893b8d1ddad2175612397f507776a282bd3e8ba91f7044248a6007
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded URLs, many of which point to compromised CMS upload directories or disposable hosting. This structure is indicative of a link farm designed to distribute malicious content or phish for credentials. ClamAV also detected this file as a phishing trojan, reinforcing the malicious intent.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4280

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://seoulmenu.com/uploads/files/82997089442.pdf In PDF document text
    • http://apexnepaltravel.com/userfiles/file/59392582332.pdfIn PDF document text
    • http://www.ddd-iasi.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1613c8c3c14ccf---bokumakepujonebakugogub.pdfIn PDF document text
    • http://www.cenlajobinator.com/siteuploads/editorimg/file/88709708598.pdfIn PDF document text
    • https://tramhuonghanoi.vn/upload/files/mivuwumufatu.pdfIn PDF document text
    • http://parkingparts.com/Upfiles/file/nelise.pdfIn PDF document text
    • http://chokmanee.com/userfiles/file/pitovelotojewoxij.pdfIn PDF document text
    • http://eiak.org/upload/editor/files/rotexusutizexov.pdfIn PDF document text
    • https://binhruamuinanobac.com/wp-content/plugins/super-forms/uploads/php/files/orr2u57h1jldv6elps8ospm5u7/fezavejunarujape.pdfIn PDF document text
    • http://rrmkaryacollege.org/rrmkarya/userfiles/file/39595347803.pdfIn PDF document text
    • http://khangvietdn.com/uploads/file/zunimapunekavonog.pdfIn PDF document text
    • http://tugrabilgisayar.net/resimler/files/84967923891.pdfIn PDF document text
    • https://lerong.vn/wp-content/plugins/super-forms/uploads/php/files/64ce64062262e7b435fce30449609c77/91821989516.pdfIn PDF document text
    • http://associazionemillesogni.it/userfiles/files/kumute.pdfIn PDF document text
    • https://careerexpo.alljobsinliberia.com/ckfinder/userfiles/files/kodupizapina.pdfIn PDF document text
    • http://fsanaq.com/upload/file/210916043033937502hy5uup19ces8.pdfIn PDF document text
    • https://osakadentalcare.com/contents/files/wexaxegativunalakunopov.pdfIn PDF document text
    • https://bancodevida.com/bancodevida/admin/images/image/file/fisoxera.pdfIn PDF document text
    • http://epilia.com/upload/FCKEditorfile/weruzasalubakujosas.pdfIn PDF document text
    • http://nelly-design.ru/upload/files/gorexekabep.pdfIn PDF document text
    • https://kirmatas.com/userfiles/file/rofixobobajixufu.pdfIn PDF document text
    • https://www.financedeclined.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/161454fccd4a8e---20054653396.pdfIn PDF document text
    • http://explosivedevices.ru/media/file/tugemasonukusu.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/BvfzZFkJO3s/uplcv?utm_term=new+mutants+123PDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ae5b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAE5B 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000c672.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC672 10420 bytes
SHA-256: e8b1ce9e885e8c7317e68eba116581b2806eb260067e7529babfce18fa5a86a9
font_02_sfnt_off0000de3c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDE3C 14828 bytes
SHA-256: 2b98bc5fbe048526a3a83042aacfbccd8da391e781c305828d38cc496d8274e7