Malicious PDF — malware analysis report

Static analysis result for SHA-256 8aa901fb7c8c2d8b…

MALICIOUS

PDF

62.4 KB Created: 2021-10-02 14:32:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-25
MD5: 034401c2b7baaea7c76026cdbb6b585b SHA-1: 5a87f3671ba50c87b4d2512b0a13cbc902b4fd14 SHA-256: 8aa901fb7c8c2d8bd489ebd3ffd13ac980afa2d9b6652656aeaba5145bbbe88d
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan payload. It contains numerous embedded URLs, many of which point to compromised WordPress upload directories, suggesting a link farm designed to redirect users to malicious content. The document body is heavily obfuscated and unreadable, providing no further context on the specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6567

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://wastran.ru/uplcv?utm_term=i+just+wanna+hold+you+in+my+arms PDF link annotation
    • http://www.cuerpomenteyespiritu.es/wp-content/plugins/formcraft/file-upload/server/content/files/161580abc72d39---butojamamabemiwopener.pdfIn PDF document text
    • http://haenuri.net/ckupload/files/jekujuvadisixom.pdfIn PDF document text
    • https://medius.sk/userfiles/file/juxigifa.pdfIn PDF document text
    • http://braghieriarchitettura.com/userfiles/files/fawawobej.pdfIn PDF document text
    • https://superpart.com/files/90742660201.pdfIn PDF document text
    • http://vce34.ru/attachments/file/pabizeled.pdfIn PDF document text
    • https://fedico.ca/upload/editor/file/dekitugu.pdfIn PDF document text
    • https://kimtuong.vn/isc/public/files/fckupload/file/57914509680.pdfIn PDF document text
    • http://obedovice.cz/userfiles/file/94053616054.pdfIn PDF document text
    • http://szilasfood.hu/pic_upload/files/takixereniroroletaziv.pdfIn PDF document text
    • http://ch-bovi.com/upload/files/ripodi.pdfIn PDF document text
    • http://fujiya-la.com/uploads/files/87911684622.pdfIn PDF document text
    • http://retrolondontees.com/userfiles/file/50189034440.pdfIn PDF document text
    • http://www.recetasyconsejos.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613ac980a3fe6---kadinesofijezowuxegal.pdfIn PDF document text
    • http://www.impactit.in/ckfinder/userfiles/files/suxizamusopapiwefat.pdfIn PDF document text
    • http://halvani.com/wp-content/plugins/formcraft/file-upload/server/content/files/161395b2e78363---85813274848.pdfIn PDF document text
    • http://noxsun.com/jingkelun/userfiles/files/20210909084857.pdfIn PDF document text
    • https://naveenent.com/administrator/imagetemp/file/zodox.pdfIn PDF document text
    • http://thinhhoanggia.vn/Images_upload/files/latifewuta.pdfIn PDF document text
    • http://iccjsc.vn/images/uploads/files/1850351231.pdfIn PDF document text
    • http://accessprecision.com/userfiles/file/44282061819.pdfIn PDF document text
    • http://commune-bourre.com/userfiles/file/92013226033.pdfIn PDF document text
    • http://dichvutheapec.com/upload/FCK/file/fogexazegir.pdfIn PDF document text
    • http://kimbuunguyen.com/uploads/userfiles/file/66663739710.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ae6d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAE6D 14144 bytes
SHA-256: 7b3da497eb79c3da253b1e6e5f11718c422b8ade0b4c4c8b8c457ca1a0c0d396
font_01_sfnt_off0000d205.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD205 10764 bytes
SHA-256: 09dadf07a07f49d2f8e6109c700b2502e7554ae8ccedae1718db7e3a46ffa685