Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d2b78ef4633abf9…

MALICIOUS

PDF

71.3 KB Created: 2021-09-19 13:56:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-16
MD5: 0fc4ca338dc4b4bd37836ce3ed726fe2 SHA-1: ac96bc8b269f95262dad3219fbe21c59d2056419 SHA-256: 9d2b78ef4633abf9f8a583da64bca05a503ea858793d8cd5690fc953e87a6785
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains numerous embedded URLs that act as a link farm, directing users to potentially malicious sites. Several heuristics indicate the use of compromised WordPress uploads and disposable hosting for these links, suggesting a phishing or malware distribution scheme. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports the malicious intent.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4270

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cructi.ru/uplcv?utm_term=fantasy+island+2020+putlocker PDF link annotation
    • http://mengnuanua.com/app/webroot/files/files/bolufabijirofowagux.pdfIn PDF document text
    • https://brtim.com/uploads/wysiwyg/files/bokakoxaka.pdfIn PDF document text
    • https://r4binsh4h9-att.com/contents/files/71618383708.pdfIn PDF document text
    • http://henskeschildersbedrijf.nl/upload/guliruluzogiruvenufuwema.pdfIn PDF document text
    • http://nadafashionbelt.com/Uploads/file/4346078375.pdfIn PDF document text
    • https://themalc.org/files/file/zakanewabisegasixigobuki.pdfIn PDF document text
    • https://buyafranchise.org/files/files/92334713823.pdfIn PDF document text
    • http://caerulumpharma.com/upload/files/57132494901.pdfIn PDF document text
    • https://soudurelausiere.ca/upload/editor/file/fininelitofolujixarajate.pdfIn PDF document text
    • http://vektor-bezpeki.com/userfiles/files/35791708406.pdfIn PDF document text
    • http://civicwomen.com/ckfiles/files/negutozugawetepinajas.pdfIn PDF document text
    • https://webhostmurah.com/wp-content/plugins/formcraft/file-upload/server/content/files/161448da1aa1d0---46638591151.pdfIn PDF document text
    • http://vattucongtrinh.com/userfiles/file/ruvipofisazukasi.pdfIn PDF document text
    • https://www.tunnel.de/files/uploaded/file/duminafogipanuwoxofonov.pdfIn PDF document text
    • http://bannermaul.com/userData/board/file/lulusalitujanudej.pdfIn PDF document text
    • https://akdenizokullari.k12.tr/wp-content/plugins/super-forms/uploads/php/files/q8liulcravd44v0v7k5dgu63b9/tinozizajivipoxuwawu.pdfIn PDF document text
    • http://illinoislivestock.org/userfiles/file/wisopatagonopodawugejinon.pdfIn PDF document text
    • https://hatinhjobs.com/upload/files/suzewume.pdfIn PDF document text
    • http://inannamsao.com/uploads/files/jinifesadojopijo.pdfIn PDF document text
    • http://dayuntang.com/assets/uploads/ckedit/files/20210902053854.pdfIn PDF document text
    • http://www.nationaalgolfcongres.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16141afdac2cb8---xaguj.pdfIn PDF document text
    • https://fontaine-eva.fr/userfiles/files/90705429351.pdfIn PDF document text
    • https://hps-gruppe.com/wp-content/plugins/super-forms/uploads/php/files/b2ulq94tkji03aob74e0avrp1m/50086061015.pdfIn PDF document text
    • http://consulcongress.it/uploads/assets/file/fedibuwuwozamusu.pdfIn PDF document text
    • https://landlorddebtadvisory.com/wp-content/plugins/super-forms/uploads/php/files/d10b3dbb0fc3722aa796c07358d557b5/87935075603.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d0f9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD0F9 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000e90b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE90B 18604 bytes
SHA-256: e371ea6270cd8c677062ff46c7af9825af888a28606405db2f067ad6bee630ad

Open this report in the interactive analyzer, or submit your own file for analysis.