Malicious PDF — malware analysis report

Static analysis result for SHA-256 a014cf1f33e99328…

MALICIOUS

PDF

62.3 KB Created: 2021-09-11 22:42:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26
MD5: bb635c10ca36fd79ece7b2e1bbef2d5f SHA-1: 833daa94297e1ed6358e056589cb4cd12e6384be SHA-256: a014cf1f33e99328ff7f3629a5dcbda20d8049945a6d1719f8f9dd03889b9258
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous embedded URLs, many of which point to compromised CMS upload directories or disposable hosting, indicating a link farm designed to distribute malicious content. The ClamAV detection and ML classifier further support its malicious nature. The primary attack pattern involves luring users through a malicious attachment to a site that likely hosts further malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6567

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ventsistem-bg.com/userfiles/file/44637763592.pdf In PDF document text
    • http://edmo-cars.nl/images/file/jabigakezasejefimovetejiv.pdfIn PDF document text
    • http://socialbomjesus.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/16130eaa80b677---sedezupesa.pdfIn PDF document text
    • http://zvaracskaskola.eu/editor_uploads/system/files/tawofaxezubiwidejupo.pdfIn PDF document text
    • https://robert-zauer.cz/userfiles/file/14577531418.pdfIn PDF document text
    • http://opuspoint.com/ckfinder/userfiles/files/mojovikumabifomiwiwuzata.pdfIn PDF document text
    • http://sp3siemianowice.pl/userFiles/files/mezukoza.pdfIn PDF document text
    • http://msinziniering.com/userfiles/file/13541258919.pdfIn PDF document text
    • http://hulstcustoms.ru/uploads/files/636847355.pdfIn PDF document text
    • http://demkapi.com/resimler/files/neberevonov.pdfIn PDF document text
    • http://datong-travel.tw/upload/ckeditor/files/20210902054413.pdfIn PDF document text
    • http://www.medical-psychology.gr/wp-content/plugins/formcraft/file-upload/server/content/files/16135dab766000---vogota.pdfIn PDF document text
    • https://morganmethod.com/ci/userfiles/files/16383181268.pdfIn PDF document text
    • http://kennyre.com/wp-content/plugins/formcraft/file-upload/server/content/files/161316ada7b9e9---27125671264.pdfIn PDF document text
    • http://bfr-bialapodlaska.pl/userfiles/file/dakativanifegivuraretasef.pdfIn PDF document text
    • http://rivebistro.net/ckfinder/userfiles/files/rugobuwadaruwenofukojej.pdfIn PDF document text
    • http://vipnovini.bg/root/f/uploads/files/40907730960.pdfIn PDF document text
    • http://eiak.org/upload/editor/files/pumawabisusukisagopoxusu.pdfIn PDF document text
    • http://jurabos.nl/include/editor/file/nolaxelixagadefovedisi.pdfIn PDF document text
    • http://chonburi33.com/userfiles/file/falinekofopimivaw.pdfIn PDF document text
    • http://avtrak.ru/ckfinder/userfiles/files/xugumisonezopemufa.pdfIn PDF document text
    • https://bentzendesign.se/wp-content/plugins/formcraft/file-upload/server/content/files/1613a01ba3406e---23708657243.pdfIn PDF document text
    • https://iwistw.com/upload/files/wibisokid.pdfIn PDF document text
    • http://magicfood-cn.com/files/20210910085242.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/FevRqgeaUVY/uplcv?utm_term=google+academico+pdfPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b604.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB604 16828 bytes
SHA-256: 22b3288665d7528ae0a6a7f00b85895d788786a8c0ce2dbdbb7c4819be38e790
font_01_sfnt_off0000e0e6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE0E6 10532 bytes
SHA-256: bba1477b1bc2a4f2ec134964e991e0c1f4a27ad9ed6dedbccbbc0fe9d618d3a4