Malicious PDF — malware analysis report

Static analysis result for SHA-256 94644c7672f08582…

MALICIOUS

PDF

72.1 KB Created: 2021-10-19 12:58:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-25
MD5: 6ec0fa0facc8aa7f497090c8f3f42f9f SHA-1: c4a111f4556e1d1f61a5833135e67a7df23c9cba SHA-256: 94644c7672f08582b12b7e59a10acb41261cf036f90600b3a702c2310d25567b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link farm pointing to compromised WordPress uploads and disposable hosting, indicating an attempt to distribute further malicious content. The presence of external URIs and a high ML classifier score, along with ClamAV detection as Pdf.Phishing.Trojan, strongly suggests a malicious intent to trick users into downloading malware. No scripts were extracted, but the structure implies a phishing or malware distribution lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7043

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dalieuht.com/app/webroot/uploads/files/zagebig.pdf In PDF document text
    • https://smartmedia.ro/app/webroot/files/userfiles/files/95764787213.pdfIn PDF document text
    • http://ttmplus.com/userfiles/files/wigidumewujadag.pdfIn PDF document text
    • https://israelonthehouse.com/wp-content/plugins/formcraft/file-upload/server/content/files/16158941199b9f---42255895581.pdfIn PDF document text
    • http://goteneplast.se/files/images/file/kamuzebelifibat.pdfIn PDF document text
    • http://lso-msm.fr/userfiles/file/99838229135.pdfIn PDF document text
    • https://www.hkha.org/ckfinder/userfiles/files/zudipolumaf.pdfIn PDF document text
    • http://reclaimsplus.com/wp-content/plugins/super-forms/uploads/php/files/dfaf8329175db5a9c5867549c66c6455/94209823841.pdfIn PDF document text
    • http://heatexchangersolution.com/upload_fck/file/2021-9-23/20210923190127773564.pdfIn PDF document text
    • https://www.oalysa.cz/ckfinder/userfiles/files/85653945357.pdfIn PDF document text
    • http://playoz.com/ckfinder/userfiles/files/55705474102.pdfIn PDF document text
    • https://asiastudy.in/ckfinder/userfiles/files/7233307109.pdfIn PDF document text
    • https://printjet.pl/pliki_user/File/30485004452.pdfIn PDF document text
    • https://xn--psg-9lac.hu/files/files/66713085278.pdfIn PDF document text
    • https://hophamthaibinh.com/upload/files/50950875801.pdfIn PDF document text
    • https://ever.dacola.com/upload/files/dixakemibuw.pdfIn PDF document text
    • http://peterpan1996.it/userfiles/files/45001755565.pdfIn PDF document text
    • https://www.sahabatkeluargahomecare.com/wp-content/plugins/formcraft/file-upload/server/content/files/161381e8a71f72---xobixekoxagiguku.pdfIn PDF document text
    • http://gyermekhaz.hu/Content/site_images/files/28339938480.pdfIn PDF document text
    • http://randoquad72.fr/userfiles/file/wobofelagorekowitaredug.pdfIn PDF document text
    • http://burragebrothers.org/demo/jolie/beta/userfiles/files/25217437488.pdfIn PDF document text
    • https://akdenizokullari.k12.tr/wp-content/plugins/super-forms/uploads/php/files/vavr3nsi691pk4rpo3pjq0afv4/70250726722.pdfIn PDF document text
    • http://sanyosushiglendora.com/uploads/files/buximim.pdfIn PDF document text
    • http://beccaro.it/userfiles/files/kuvagas.pdfIn PDF document text
    • http://mavelikaradiocese.org/rapha/ckfinder/userfiles/files/47820334230.pdfIn PDF document text
    • https://sandalyecenneti.com/wp-content/plugins/super-forms/uploads/php/files/l2c9f7na30tgcqpn7tfbrnhd5u/67423739811.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Gsjc/~3/tgwjJlsMqHc/uplcv?utm_term=download+dxcpl+pes+2017+windows+7+32+bitPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d324.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD324 19788 bytes
SHA-256: 871e873af8748f54fb4a38bce2e067c95718fd98d143ceacaf705c0790f4c788
font_01_sfnt_off00010605.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10605 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1