Malicious PDF — malware analysis report

Static analysis result for SHA-256 894485a499c51944…

MALICIOUS

PDF

72.0 KB Created: 2021-04-28 11:54:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: adc351e6bcdd6d8390ef924bdb911eea SHA-1: 90645437d2533fb69555bac07c9e22ef7aad2b2b SHA-256: 894485a499c519446ccea1b6f67a2e93b310c82e2ed0613aa3455e17683d76c0
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file is detected as malicious by ClamAV and an ML classifier, indicating it's likely a phishing or trojan delivery mechanism. It contains numerous links to compromised WordPress sites, suggesting a link farm used to distribute further malicious content, potentially disguised as an exam answer key. While no scripts were explicitly extracted, the PDF structure and heuristic firings point towards a malicious intent to redirect users to compromised hosts.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6331

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.golddustdental.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072d3928681b---78240199713.pdf In PDF document text
    • https://alkhairi.co.uk/wp-content/plugins/super-forms/uploads/php/files/bfe6ac35d4aee303703118512c6c2dcc/35798960031.pdfIn PDF document text
    • http://www.misshandicap.ch/wp-content/plugins/formcraft/file-upload/server/content/files/160703e12927a8---pabininigulifozufodi.pdfIn PDF document text
    • http://www.chinahkcarplate.com/wp-content/plugins/formcraft/file-upload/server/content/files/160745378dfc70---pafaxinize.pdfIn PDF document text
    • https://www.bakirkoytemsilcisi.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072d947f3db0---zuziwuterot.pdfIn PDF document text
    • http://www.sunarpazarlama.com/wp-content/plugins/super-forms/uploads/php/files/3q55nahfspgm3brcnk8obj3vh3/nenozexevosurukadadix.pdfIn PDF document text
    • http://www.scmphotography.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1606c797712061---15576642635.pdfIn PDF document text
    • https://www.breastcancerfoundation.in/wp-content/plugins/super-forms/uploads/php/files/21239795cf9c2ee505dd420b6d578fec/fubesaj.pdfIn PDF document text
    • https://www.novet.de/wp-content/plugins/formcraft/file-upload/server/content/files/16077def42786b---32307261990.pdfIn PDF document text
    • https://victory-agency.com/wp-content/plugins/formcraft/file-upload/server/content/files/160705d4c4f828---87038766333.pdfIn PDF document text
    • https://roadtoring.com/wp-content/plugins/super-forms/uploads/php/files/2de8fadf9b1a7e46e4576d681104238d/vajixoloxepomujojewugara.pdfIn PDF document text
    • https://formapolis.it/wp-content/plugins/super-forms/uploads/php/files/8ec278c42430b485f0def1c62aaeb5d5/90725360261.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/LPIa9PGmDLg/uplcv?utm_term=computer+exam+answer+key+rsmssbPDF link annotation
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fd3d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFD3D 5256 bytes
SHA-256: 1ebc93b2c592d7b7aadfa32c7afc4f3ac9f2a768f99dda521d2abe97500e9d31
font_01_sfnt_off00010f14.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10F14 3720 bytes
SHA-256: b91f3c26f37c28538ed09035cbea6f9221827f1e30b50c452f08cc820bcc167b