Malicious PDF — malware analysis report

Static analysis result for SHA-256 93d9e8faf84d4b5d…

MALICIOUS

PDF

223.6 KB Created: 2021-06-10 01:57:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00761d187bec3abf4f20a2812d61d158 SHA-1: 9e7caab6b34a113df5a36426384cbf41e1f1fa7b SHA-256: 93d9e8faf84d4b5d416bdc20df43ea1a7bfd80d0d06001d3ed52ae496e4972e5
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is identified as a malicious PDF by ClamAV, and it contains numerous embedded URLs pointing to compromised WordPress sites and other domains. These URLs likely serve as lures for phishing or to download further malicious content. The PDF structure and embedded links suggest an attempt to redirect users to external, potentially malicious, resources.

Machine Learning

  • Nyx PDF Classifier clean score 0.1924

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ketchas.ru/uplcv?utm_term=munna+michael+english+subtitles+full+movie
    • https://www.histoiresdegroupes.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606fd25090b23---xaxafigakelamogesuba.pdf
    • http://smithmurdock.com/wp-content/plugins/formcraft/file-upload/server/content/files/160beefdee08e1---43853115500.pdf
    • https://afanasyev-design.ru/wp-content/plugins/super-forms/uploads/php/files/45b6b972aac14d88cc70e27d8a7551f5/7004385877.pdf
    • http://vita24h.com/uploads/userfiles/file/kemedupufisidexofedumodo.pdf
    • http://kaplanpm.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a3e0848ebdc---povasuruxebur.pdf
    • http://www.sunarpazarlama.com/wp-content/plugins/super-forms/uploads/php/files/j4ejj3j9hedje8e0t1ta2l6693/bovugoxudivanumaxete.pdf
    • http://badischer-kunstverein.de/ckfinder/userfiles/files/luvizovuxerota.pdf
    • https://www.dentaltaxpros.com/wp-content/plugins/super-forms/uploads/php/files/50bd8e44530335908d362225ad38a924/jopukukaduduzibizidigako.pdf
    • https://www.criteriainvest.com.br/wp-content/plugins/super-forms/uploads/php/files/b71knhn48guolhfpinqgq53hbe/49565005026.pdf
    • https://legacydockandmarine.com/wp-content/plugins/super-forms/uploads/php/files/7974469899296e0d4f4ac1e5b7d0f396/62916006462.pdf
    • http://www.aqsclimited.com/EditorImages/file/92917899296.pdf
    • http://lifestyleufa.ru/wp-content/plugins/super-forms/uploads/php/files/05067342540311124325e4a12cdd01c4/notaxada.pdf
    • https://akarchlight.com/wp-content/plugins/super-forms/uploads/php/files/3e4488b3d203bdb5a3db39b452a962a9/16755871519.pdf
    • http://profisystem.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1608a1a1c1e2dd---firewirituvetisevi.pdf
    • https://coolingrealestate.com/your-home-cleaner/FCKuploads/file/pumatuduva.pdf
    • https://controlcert.se/wp-content/plugins/formcraft/file-upload/server/content/files/160a8d2476aa36---32299894366.pdf
    • http://www.ambredore.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608d2b74138b2---10267800369.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • http://scripts.sil.org/OFL
    • http://sinhala.sourceforge.net/
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITS
    • http://www.gnu.org/licenses/gpl-2.0.html

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00025939.bin
0bb69e856f43fd4bf63edb76c1c1918700dc8b0c92d2aa92842ced536978006c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x25939 44112 bytes
stream_012_off0003721f.bin
93efa161c7e0d1ddba22352ee90d4b94a47616937ec716d1e487f0df34a9347f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3721F 4131 bytes
font_01_sfnt_off0002df0d.bin
0a167fb921689fce52d546ed9470ccedf6296c20167fef2f88cdf1648f3f61a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2DF0D 5284 bytes
font_02_sfnt_off0002f0ab.bin
f5e62ba6b7089b9aeca8e43a5ec15b484124f90a0be4f4931aa3bdff8dcf53f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F0AB 22684 bytes
font_03_sfnt_off00032916.bin
7cea4e6ba8c0c637c3162bf11da974deb02d9d6bf83f8d83b172c2031de6d07a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x32916 3940 bytes
font_04_sfnt_off00033881.bin
765c68be406903265788cc2c728bcf105139e9d0f3d9b98293b6b5154cfb1ffe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x33881 18988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.