Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e024b13a40fe009…

MALICIOUS

PDF

37.3 KB Created: 2021-06-25 03:13:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c5246befe53b26d80bc61613801c9e26 SHA-1: 21c4cc9d82e81021f3ce1a6ecf56e73cd66b3497 SHA-256: 9e024b13a40fe0099b2119906f0bc35881c09a293d9657ca056eaf5efbfb1656
144 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document is identified as malicious by ClamAV and a machine learning classifier, exhibiting characteristics of a phishing lure. The PDF_IMAGE_LURE heuristic indicates it presents as an image to obscure clickable links, likely directing users to external sites. Several URLs were extracted, many hosted on compromised WordPress sites, suggesting a campaign to distribute malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5922

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 37 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://archism.ru/uplcv?utm_term=how+to+set+up+printer+to+print+to+pdf+file
    • http://ajtoablakcentrum.com/_user/file/12317016814.pdf
    • https://alfa-pechati.ru/wp-content/plugins/super-forms/uploads/php/files/483957ccf94732469aca1e44089a6715/59217084997.pdf
    • https://www.tai.gr/wp-content/plugins/formcraft/file-upload/server/content/files/1609f5574246dc---43812644441.pdf
    • https://www.emmabowman.com/wp-content/plugins/super-forms/uploads/php/files/3521776be36fc23a676f693aab80bcbd/71015210047.pdf
    • https://delaneyllc.com/ckfinder/userfiles/files/dosajeza.pdf
    • https://www.baileysmilk.com/wp-content/plugins/super-forms/uploads/php/files/03687a7179cff58dab530e51f09fd49e/76131414567.pdf
    • https://baconbites.com/wp-content/plugins/super-forms/uploads/php/files/tp80ulehspe9s1so73216knak6/zozezuvigewurikag.pdf
    • http://cezanart.com/userfiles/file/81640931

Open this report in the interactive analyzer, or submit your own file for analysis.