Malicious PDF — malware analysis report

Static analysis result for SHA-256 9f4f23f2b71e9734…

MALICIOUS

PDF

105.4 KB Created: 2021-08-26 00:29:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: d4fc013d6e402f739ef8d85563acfe8e SHA-1: e1c1251901f1f73bc2770f6499e5e8eb62737f79 SHA-256: 9f4f23f2b71e97341340db27b41a0451eca274ccdef06c30f8a7c1db0c74098d
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous external links, with several pointing to compromised WordPress upload directories, indicating a potential phishing or malware distribution scheme. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports its malicious nature. The document's structure as a link farm suggests it's designed to lure users to malicious sites.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2897

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/uplcv?utm_term=pictures+at+an+exhibition+composer PDF link annotation
    • http://urbancollab.com/userfiles/Proj_Name//files/gafumezarokabemikex.pdfIn PDF document text
    • http://ttlengenharia.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607a89bf4dfb3---naguxatenevolovetobevu.pdfIn PDF document text
    • http://aiaato.com/FileData/ckfinder/files/20210617_4B785B38CA8155CD.pdfIn PDF document text
    • http://brahmagnanam.org/fck_uploads/file/17577572165.pdfIn PDF document text
    • http://career-id.org/ckfinder/userfiles/files/fixeredaxokinolidovetugeg.pdfIn PDF document text
    • http://abbuffalowings.com/uploads/files/tuvagujefatuwajig.pdfIn PDF document text
    • http://ruoumoc.com/upload/files/pejobanebusufufovowav.pdfIn PDF document text
    • http://vietkinggroup.com/uploads/userfiles/file/20466552703.pdfIn PDF document text
    • http://sbox-technology.com/upload/datoteke/32648435319.pdfIn PDF document text
    • https://www.growxponential.com/wp-content/plugins/super-forms/uploads/php/files/nv1fl8r327tkh297778ii1tf94/45389735488.pdfIn PDF document text
    • http://fred-robin.com/ckfinder/userfiles/files/43137473508.pdfIn PDF document text
    • https://mediabandit.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ff2a8c80249---91940629885.pdfIn PDF document text
    • http://bangdinhphucat.com/quangbasanpham/app/webroot/upload/image/files/bebajitadijogizedame.pdfIn PDF document text
    • http://indago-rovigo.it/userfiles/files/dukumarebip.pdfIn PDF document text
    • http://macabrey-luthier.fr/data/Files/xirupudapuv.pdfIn PDF document text
    • http://anhuifan.com/upload_fck/file/2021-7-14/20210714074143224308.pdfIn PDF document text
    • https://canadiancontractorservices.com/wp-content/plugins/super-forms/uploads/php/files/0s44ahm5m9e98n2c4urj1cjcv1/dumazov.pdfIn PDF document text
    • http://csc0535.com/userfiles/file/20210805041132_aefntt.pdfIn PDF document text
    • https://www.advids.io/wp-content/plugins/formcraft/file-upload/server/content/files/16085b388811a0---bigubuxojevazopuwe.pdfIn PDF document text
    • https://sgdivorcelawyers.com/wp-content/plugins/super-forms/uploads/php/files/1fb5f5297e86a9c2cfd7f9689707f98a/megefoxebazunasesinigo.pdfIn PDF document text
    • https://svetpoznaniyaonline.ru/wp-content/plugins/super-forms/uploads/php/files/d529f8362aad0be5b61d57ff9b5d0a83/84711294343.pdfIn PDF document text
    • https://rmissio.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160a5ef0ace10a---werifa.pdfIn PDF document text
    • http://salonlomi.pl/wp-content/plugins/formcraft/file-upload/server/content/files/16089c3ced7d53---37711403724.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00016a8d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16A8D 10936 bytes
SHA-256: 1713c104e3305f835d3b583d92ca3edd1a31319cf4badf1a446877c1b9c3f7ab
font_01_sfnt_off0001838b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1838B 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1