Malicious PDF — malware analysis report

Static analysis result for SHA-256 916a45d498532564…

MALICIOUS

PDF

57.2 KB Created: 2021-05-11 00:32:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a153558c5ee750cb54dae5210203989c SHA-1: 0cea02a1e8848c32bc50790af49ef0e5c63c150b SHA-256: 916a45d498532564fc75f2e4cad6242329bf2f962cc0f9b9d69707865914b811
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or malware distribution attempt. It contains numerous links, many pointing to compromised WordPress sites, suggesting it functions as a link farm to distribute further malicious content. The document body is heavily obfuscated and unreadable, but the presence of URLs like 'https://archism.ru/uplcv?utm_term=bully+anniversary+edition+mod+apk+lite' indicates a lure for potentially unwanted software or phishing content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6973

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://archism.ru/uplcv?utm_term=bully+anniversary+edition+mod+apk+lite
    • https://olmitek.by/wp-content/plugins/super-forms/uploads/php/files/lfqfa12d2kdqnm30goaci3fhe1/68930628877.pdf
    • http://nuraski.pl/wsg/userfiles/lijonale.pdf
    • https://hcs1000.org/wp-content/plugins/super-forms/uploads/php/files/4f1e4ad06b92bb8c515729c73a6df23a/zukopofilig.pdf
    • http://www.idenet.net/wp-content/plugins/formcraft/file-upload/server/content/files/16077b3b43cc58---bilolebesoje.pdf
    • https://elicopter-de-inchiriat.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1606e120e6a0f1---97796155990.pdf
    • https://boldvision.tv/wp-content/plugins/formcraft/file-upload/server/content/files/1609627acd32a4---kijitamaziva.pdf
    • https://micast.de/wp-content/plugins/super-forms/uploads/php/files/3398k37jo6u2hc1pqjbaj7euo5/10120546610.pdf
    • https://mytutr.com/wp-content/plugins/super-forms/uploads/php/files/8043f9f5395beef6009a9970a1c8aa00/3976239714.pdf
    • http://www.a-fairys-choice.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607868020719a---fexupenisuzenoxojuxome.pdf
    • http://asesoriagarpe.com/wp-content/plugins/formcraft/file-upload/server/content/files/16099a2fdc8ad4---vubusipuzuburepasolo.pdf
    • http://dodici12.ru/wp-content/plugins/super-forms/uploads/php/files/8bjb1id723s8khl2lrgg4ucv54/47775658231.pdf
    • https://www.alphaveneers.com/wp-content/plugins/super-forms/uploads/php/files/e83ac1cfb50cf6b65218f34f15ff4f58/80242102470.pdf
    • https://refour.dk/wp-content/plugins/super-forms/uploads/php/files/72fab89447ec6913d91f4a2dab5a6cda/wabajadagun.pdf
    • http://www.a-fairys-choice.com/wp-content/plugins/formcraft/file-upload/server/content/files/16082bf28b2e7d---19390481736.pdf
    • http://americanpetrochemicals.com/customers/CMS-IMAGES/file/51370567484.pdf
    • http://www.neslihanonur.com/wp-content/plugins/super-forms/uploads/php/files/fa21106d680997a513ced465a7bb8f1d/31901853421.pdf
    • http://photographybynami.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606ef773f0322---misokevororezivol.pdf
    • https://cashofferoregon.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e102b26e6a---pavemazoxigutefabofipul.pdf
    • https://sharpspringwww.kinsta.cloud/wp-content/plugins/super-forms/uploads/php/files/8e82badd525bb28e9e3e091cdf40cc82/danelumolagimorojawi.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.