Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a2fb6e4f4d5286c…

MALICIOUS

PDF

116.6 KB Created: 2021-06-26 08:33:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-21
MD5: 1c9a1664a7a1a9b7037423ac50920f35 SHA-1: df13d878d45c1c5d777310bc247ac59b72817fed SHA-256: 8a2fb6e4f4d5286cf9287f89f0c17e6034924d068eb1f96313648bc3381d288f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file was detected as a malicious PDF by ClamAV and an ML classifier. Static analysis revealed it functions as a link farm, with numerous URLs pointing to compromised CMS uploads and disposable hosting. These links likely serve as a lure to direct users to malicious content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8213

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.aportecnica.com/imagenes/editor/file/96596105670.pdf In PDF document text
    • http://elenasteele.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608b9d1786bf4---mofurexuku.pdfIn PDF document text
    • https://lightupalife.org.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160d1ddb2f0f28---vifojufa.pdfIn PDF document text
    • http://chayka-svg.ru/files/61937550036.pdfIn PDF document text
    • https://vashadvokat82.ru/wp-content/plugins/super-forms/uploads/php/files/d64d3c2e52c3772fdc6823f404fe273e/73923893046.pdfIn PDF document text
    • http://www.iso-clean.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1609780529c9c5---8112544253.pdfIn PDF document text
    • https://wscnaturalhealings.com/wp-content/plugins/super-forms/uploads/php/files/4b11521a07039acc13d30d1a388ca95c/nixoxomenedidoj.pdfIn PDF document text
    • http://viaterrestre.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160c0fc74e9ae9---24780993291.pdfIn PDF document text
    • https://wholisticvibrations.com/wp-content/plugins/super-forms/uploads/php/files/4dad0aa9351f860663a3d3b0f779f2db/47514384138.pdfIn PDF document text
    • https://relleno-acidohialuronico.com/wp-content/plugins/super-forms/uploads/php/files/be399f16a8ebec36ec21e9d84f072d79/91467795434.pdfIn PDF document text
    • http://lichnyiybrand.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160b04a48201f7---fewidagejomij.pdfIn PDF document text
    • http://beckydavidsonhomes.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609294a6a4799---gigukulizavipa.pdfIn PDF document text
    • https://yuss.it/file/93466576740.pdfIn PDF document text
    • http://becro-plast.hr/wp-content/plugins/formcraft/file-upload/server/content/files/160a1539074fca---12224300413.pdfIn PDF document text
    • http://topup-fight.com/ckfinder/userfiles/files/bixujugemasufapa.pdfIn PDF document text
    • http://www.meglobalinc.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/16077e719a25a2---lavezigatunar.pdfIn PDF document text
    • http://mas.vacations/wp-content/plugins/formcraft/file-upload/server/content/files/160706cfe1fd29---96574228244.pdfIn PDF document text
    • http://autosoftware.company/autoresponders_images/files/jibusexopudulusupemabare.pdfIn PDF document text
    • http://www.cheapmotorcycleinsurancepa.com/wp-content/plugins/super-forms/uploads/php/files/sbskgc6faf51n1ocas8l79dq26/lekimotezoluzesugana.pdfIn PDF document text
    • http://polymer-optix.de/userfiles/file/43347968675.pdfIn PDF document text
    • http://vector-luczak.pl/new/fck_user_files/file/nijowug.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/ngfLrbzwjls/uplcv?utm_term=small+signal+analysis+of+jfetPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001afd5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1AFD5 1224 bytes
SHA-256: 95ee8141f2a0acad0c37a502fc2a8a1430ee60f8a0aa6ba684720e8a928f85cf
font_01_sfnt_off0001b6ed.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1B6ED 16068 bytes
SHA-256: 6d636ebcb28a43c11a0b96216d988d0aaa25e428b847d4e039b2a2a6b6e27b6d

Open this report in the interactive analyzer, or submit your own file for analysis.