Malicious PDF — malware analysis report

Static analysis result for SHA-256 91ebf490438939d0…

MALICIOUS

PDF

90.9 KB Created: 2021-07-04 05:49:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 761778bde9cbc424a615c47dcc0bc7b4 SHA-1: 1f6dcb9c9a0222d2d97078d305e1d6c8ba291ba9 SHA-256: 91ebf490438939d0f6f4e3ac36ba5ace3d2f28d2e7b4001314cedffedd2bb0a8
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous links, many of which point to websites hosted on compromised WordPress installations, indicating a link farm designed to distribute malicious content. ClamAV detection as 'Pdf.Phishing.Trojan' further supports its malicious nature. The file's structure and URL patterns suggest it's part of a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier clean score 0.0115

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://computer-rudolstadt.de/upload/file/60724422448.pdf
    • https://rmissio.pl/wp-content/plugins/formcraft/file-upload/server/content/files/16071de9c274a2---55736197635.pdf
    • https://felix-schulze.biz/wp-content/plugins/super-forms/uploads/php/files/hh3r4n1toe5tds3dc0aumpgg3i/29058362718.pdf
    • https://x-software.cz/data/file/67078804397.pdf
    • https://spazmedia.com/wp-content/plugins/formcraft/file-upload/server/content/files/160856c9519b58---50807703929.pdf
    • http://www.cuerpomenteyespiritu.es/wp-content/plugins/formcraft/file-upload/server/content/files/1607dc57346a78---linepaxi.pdf
    • http://chipublichouse.com/ckfinder/userfiles/files/mujipoxuw.pdf
    • http://akkoryazilim.com/userfiles/file/46640711258.pdf
    • https://www.fecomerciomg.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/160b496d4a7d9c---82625333218.pdf
    • https://divorcioconsensual.com.br/wp-content/plugins/super-forms/uploads/php/files/860001879ffc894d9a7d7069ed132e69/39396866219.pdf
    • http://ventmetal.ru/userfiles/files/xemotolubajo.pdf
    • http://www.deadclan.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1607115a8d149b---zubiza.pdf
    • https://comobrew.com/newsite/images/user_uploads/file/foxobidegamibitegojoripux.pdf
    • https://www.olympusnorge.no/wp-content/plugins/super-forms/uploads/php/files/36e1rivo83c4em9201f7lr1cng/tegajowuzefinil.pdf
    • https://laser-arena.ch/wp-content/plugins/formcraft/file-upload/server/content/files/1607e36d754b73---disaxoponigosofabivujo.pdf
    • http://nutricion-intravenosa.com/wp-content/plugins/super-forms/uploads/php/files/18e814fc51db7373fa26cf7278794c12/59525708537.pdf
    • http://greenplanetnepal.com/userfiles/file/gatafeluvaru.pdf
    • http://1970fchs50thclassreunion.com/clients/1/19/19770213778af891f1b13fa25f964f50/File/buvuzivulebik.pdf
    • https://www.golddustdental.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a132e0286e1---pivejoronajut.pdf
    • https://www.pal-kont.hu/wp-content/plugins/super-forms/uploads/php/files/81f0a7c039995431e9220a595ed72566/kaviza.pdf
    • http://aliancegroup.su/wp-content/plugins/formcraft/file-upload/server/content/files/160bf746067fb4---dutoxixujemuxeso.pdf
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160abfe293b846---pixowaroxizukimor.pdf
    • https://seeandhearbetter.ie/img/shop//contents/janizakuraxivipiwiwepipe.pdf
    • http://abwvictory.com/uploads/files/96165618259.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/A3Ryygt5BCM/uplcv?utm_term=solubility+rules+lab
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010587.bin
ed4691d0fd97b4a3df27f656840bf6d5da7bcbe16a575015529a70c9ff0254e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10587 10428 bytes
font_01_sfnt_off00011d54.bin
f7573c71f8c1c069de4c3d6c7ed8835fec0f5e3f6174416a6170552eca715efa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D54 18636 bytes
font_02_sfnt_off00014f36.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14F36 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.