Malicious PDF — malware analysis report

Static analysis result for SHA-256 a16ccd834cf8185d…

MALICIOUS

PDF

72.1 KB Created: 2021-07-16 11:49:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 5d09cd6894283479b8775215ac30f681 SHA-1: 51556559b76cb6a59f40ac4b2fab5ff9851dd99e SHA-256: a16ccd834cf8185d082858b823ff729e7cd2f1d1b3f7e907b6b509d5ed32628f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier. It functions as a link farm, containing numerous embedded URLs that point to compromised CMS upload directories. These links likely serve as a distribution mechanism for further malicious payloads, aligning with a phishing or malware distribution attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6243

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://digidatadecolombia.com/wp-content/plugins/super-forms/uploads/php/files/c4ef918f0d465f013be27d44277212df/kanipavuxosaporewujirudir.pdf
    • http://www.fullmooneye.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c02eae12b79---kevatolimatanajizivalero.pdf
    • http://casaatlantida.com/userfiles/file///xefapujozukuwifonudo.pdf
    • https://specialbrands.gr/wp-content/plugins/super-forms/uploads/php/files/d478213e3f912283944445126b87da7a/voxokoxudubax.pdf
    • http://naphogacomposite.com/upload/files/47567166527.pdf
    • https://studiogreenwich.ru/wp-content/plugins/super-forms/uploads/php/files/58bc828a4be4bd13e469e72df8c28203/sotubarideg.pdf
    • https://siyata.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/1608765c0dbc07---45715387.pdf
    • https://bestrecycledautoparts.net/images_i/file/merutudafalabinulutor.pdf
    • http://www.sudaff.com/pics/file/ragagenovivivi.pdf
    • https://eliteswimmingpoolsinc.com/wp-content/plugins/super-forms/uploads/php/files/2da9qiqmrdjv5mhrts4dteg373/71318996085.pdf
    • https://callalilyvn.com/upload/files/36624936290.pdf
    • http://poorclarescork.ie/images/pojivopunamixepefasujeje.pdf
    • https://myhoorayhealth.com/wp-content/plugins/super-forms/uploads/php/files/e5de58da9cc1d2d2bec8ecaad0d2266c/12086857685.pdf
    • https://alphacleanwashing.com/wp-content/plugins/super-forms/uploads/php/files/cd6f39e0e3274679c18538f9b32292b5/89200560742.pdf
    • https://ozmutludokum.com/userfiles/file/33767278777.pdf
    • http://ac-kenigsberg.ru/files/file/56181490418.pdf
    • https://arihantgranites.in/wp-content/plugins/super-forms/uploads/php/files/2q2gtlvn5504mnr3i0goahea90/63442491302.pdf
    • http://www.maderas-navarro.com/ckfinder/userfiles/files/kugibakukorevi.pdf
    • http://lordbeaverbrook1973.com/clients/76835/File/20221224782.pdf
    • https://thic.muki001.com/plugin/ce1/ckfinder/userfiles/files/xajejozizedoniwirofolero.pdf
    • http://uspeh-kursk.ru/ckfinder/userfiles/files/37339815374.pdf
    • http://zadonskiy.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160f08aad091fe---154282609.pdf
    • https://www.swissfillon.com/wp-content/plugins/super-forms/uploads/php/files/148e9da4339247cf1ac9d77e07b47de9/sodefudodegemape.pdf
    • https://dailyhondaotomientay.com/upload/files/magonefupabizupu.pdf
    • http://www.aqsclimited.com/EditorImages/file/79243941015.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/GLLx1DTH0VQ/uplcv?utm_term=expensive+types+of+cats
    • http://e1pl2.nazwa.pl/busy/fotki/file/gevitinewojijinafilom.pdf
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f3ca.bin
b3c26f0cd887d6f40994d45b289772c7d7c60523112bdabc1d047b0399ba0185		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF3CA 17052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.