Malicious PDF — malware analysis report

Static analysis result for SHA-256 95a9cf8930124c11…

MALICIOUS

PDF

63.5 KB Created: 2021-07-24 19:45:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: b5ffa27324a240703a6789b634a474c4 SHA-1: d03f0a3213bc1f778fd51b337e7556b787e6000a SHA-256: 95a9cf8930124c1144e63a7d7b6cf5f529ba3f7c3016ec5406b0f1f53e2f2b79
144 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV, indicating it's a Pdf.Phishing.Trojan. Static analysis reveals numerous embedded URLs pointing to compromised CMS upload directories and disposable hosting, suggesting a link farm designed to redirect users to malicious content. No scripts were extracted, but the PDF structure and URL patterns are indicative of a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4209

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://tigercabinetry.com/wp-content/plugins/super-forms/uploads/php/files/714588ec625ab265777c0a3333caa36c/64218088032.pdf In PDF document text
    • http://ingmontagna.com/userfiles/files/zetaluwakeva.pdfIn PDF document text
    • http://www.belladermeestetica.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16094a39359f27---lumaditozos.pdfIn PDF document text
    • http://www.virtualaid.eu/wp-content/plugins/formcraft/file-upload/server/content/files/160db50108ae5d---24185630545.pdfIn PDF document text
    • http://119hero.kr/userData/board/file/waforofojizosudatawivo.pdfIn PDF document text
    • https://noddy.nu/images/file/lajukiberiso.pdfIn PDF document text
    • http://victorylimo1.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f8690d8de2---34501752675.pdfIn PDF document text
    • https://burmesecatclub.nz/wp-content/plugins/super-forms/uploads/php/files/4bd1848a77b113ba1283d35f4d3fcf5c/63535343185.pdfIn PDF document text
    • http://bjaimama.com/data/upload/2021/05/file/202105150214049466.pdfIn PDF document text
    • http://www.birapart.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c3fac562c65---60618107381.pdfIn PDF document text
    • http://79.170.40.182/boothtastic.com/wp-content/plugins/formcraft/file-upload/server/content/files/16098b1facc323---vivugixuvozepopotomole.pdfPDF link annotation
    • http://jamoncup.es/wp-content/plugins/formcraft/file-upload/server/content/files/160765068400b0---sarozonisusudepaxewa.pdfIn PDF document text
    • http://remontnoedelo.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1609a639d7be10---41625796182.pdfIn PDF document text
    • http://massimoandyuethui.com/clients/69227/File/22225189683.pdfIn PDF document text
    • https://ecole-anglais.com/upload/files/tezetagikofolededig.pdfIn PDF document text
    • http://jlm-kg.com/uploads/file/lofidunuropev.pdfIn PDF document text
    • https://law.com.sg/wp-content/plugins/super-forms/uploads/php/files/88a72c262ed9d177c7083f65fdbf7f34/33844209897.pdfIn PDF document text
    • http://www.assignproject.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a248810f15d---43608909640.pdfIn PDF document text
    • https://penzionradvanice.cz/res/file/buvodogajejewawozusis.pdfIn PDF document text
    • http://piau-po21inn.com/CKEdit/upload/files/79965004019.pdfIn PDF document text
    • https://bdcomunicazione.it/file/50713455106.pdfIn PDF document text
    • http://xperion.hu/wp-content/plugins/super-forms/uploads/php/files/341816b9ac53f089ccf64c039ad36e73/10204826116.pdfIn PDF document text
    • http://automsystem.com/UploadFile/file/20210506035007266.pdfIn PDF document text
    • https://tungafilm.com/dorceiys/ckfinder/userfiles/files/23654062710.pdfIn PDF document text
    • http://labcoop-jsc.com/wp-content/plugins/super-forms/uploads/php/files/3t198pbaklhrr3l8p80uu2pjjm/31231595667.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/fzgW7-mxBc0/uplcv?utm_term=how+do+you+use+fusible+cotton+fabric+sheetsPDF link annotation

Open this report in the interactive analyzer, or submit your own file for analysis.