Malicious PDF — malware analysis report

Static analysis result for SHA-256 90f1c10d163771b5…

MALICIOUS

PDF

53.8 KB Created: 2021-09-28 13:37:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: 20d6ae34dc7c2f66c5922c1af60b69b8 SHA-1: f4ec2130bb8bdc1a24a45cfc100c93bdc8b9c461 SHA-256: 90f1c10d163771b514225d3c28fe8e3cda9259d448f8f5f44ca60c818471f31f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous links, many pointing to compromised CMS upload directories and disposable hosting, suggesting a phishing or redirection scheme. The ClamAV detection and ML classifier further indicate malicious intent, likely to lure users to external sites for further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8276

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://globalybm.com/ckfinder/userfiles/files/1632188196.pdf In PDF document text
    • http://www.hkimm.hk/_bin/ckfinder/userfiles/files/dukutokakezokuvemeze.pdfIn PDF document text
    • https://eduinfinite.com/wp-content/plugins/super-forms/uploads/php/files/b8b3035f37bb5ecdcd1f6f2a60967f79/39907459707.pdfIn PDF document text
    • https://freedomtampons.com/wp-content/plugins/super-forms/uploads/php/files/c95cd3b808dc0322e682bcfe6ddfcbc3/juzipex.pdfIn PDF document text
    • http://murito.fr/ckfinder/userfiles/files/momamotevulegosezi.pdfIn PDF document text
    • http://aweibel.com/Photo/file/96048907958.pdfIn PDF document text
    • https://teplitsyoptom.ru/wp-content/plugins/super-forms/uploads/php/files/bb42e6e8e2e8a1a8ae784035ef5a3507/98872064423.pdfIn PDF document text
    • http://barefoot.pl/userfiles/file/bilowuzovup.pdfIn PDF document text
    • https://cherrychile.cl/cherry/uploads/contenido/files/86607006648.pdfIn PDF document text
    • https://www.tyrtaios.gr/ckfinder/userfiles/files/mukasofotokunepalamurene.pdfIn PDF document text
    • http://cnsgawefgl.netsociality.com/upload/files/palupisapejojab.pdfIn PDF document text
    • http://epilia.com/upload/FCKEditorfile/gofug.pdfIn PDF document text
    • https://tkbhanna.com/ckfinder/userfiles/files/68238243270.pdfIn PDF document text
    • https://kimcert.org/E/file/52828979304.pdfIn PDF document text
    • https://hijaustabilo.com/contents/files/bijoxitamasudutegurapurix.pdfIn PDF document text
    • http://www.satunatc.ac.th/ckfinder/userfiles/files/gigumisuwasakigilog.pdfIn PDF document text
    • http://kimwendelldesign.com/ckfinder/userfiles/files/2750646867.pdfIn PDF document text
    • http://erpos.sk/data/files/26630562571.pdfIn PDF document text
    • https://weldingportal.it/userfiles/file/86769208268.pdfIn PDF document text
    • https://alharithiforcameras.com/ckfinder/userfiles/files/kulinematexak.pdfIn PDF document text
    • http://meteosputnik.ru/userfiles/file/fozerozazulewiditij.pdfIn PDF document text
    • http://songhandiban.com/uploadfile/file/2021091623482973499.pdfIn PDF document text
    • http://virtualcharityevents.com/vce_cake/files/files/jaresixido.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/1xuhb7AK25c/uplcv?utm_term=discrete+mathematics+and+its+applications+with+combinatorics+and+graph+theory+pdfPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ba64.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBA64 11408 bytes
SHA-256: 2b05dbb0091d4ae9cef46c41fc8dcf565d5b582b72be2ea40e424cfc4101a2e4