Malicious PDF — malware analysis report

Static analysis result for SHA-256 a28f3733b7c6b3a7…

MALICIOUS

PDF

67.9 KB Created: 2021-09-08 10:47:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: c51d932c667b3d73352bbaa3c557dbb5 SHA-1: 191ac40cb4d5aa295989dc20f7e75aa58e1c2263 SHA-256: a28f3733b7c6b3a7013cd64b29dc67b444d9f2ed8cd2ac7b0f0af730b5b96b3f
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document was detected as malicious by ClamAV and an ML classifier. It contains embedded JavaScript and a large number of external links, many pointing to compromised WordPress sites. The primary function appears to be acting as a link farm, likely to redirect users to phishing pages or download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5479

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://smidgel.ru/uplcv?utm_term=mixed+tenses+worksheets+for+grade+9 PDF link annotation
    • https://goactive.hu/wp-content/plugins/super-forms/uploads/php/files/6a4e8759d51f8bbb5138307ee4cfe655/sapejufog.pdfIn PDF document text
    • https://agatanorek.com/files/file/67487340055.pdfIn PDF document text
    • https://criteriacambio.com.br/wp-content/plugins/super-forms/uploads/php/files/v2ogs0f1kkvvr5fbel7to9r0gt/samufenoxuvu.pdfIn PDF document text
    • http://xn--b1ahhafccpgkb2bxo.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/7a60afbfdccd6b1ffdef6c255a27da85/16330351398.pdfIn PDF document text
    • https://intersensor.ro/v2011/Files/fck_upload/file/lajusoxokajun.pdfIn PDF document text
    • https://www.golddustdental.com/wp-content/plugins/formcraft/file-upload/server/content/files/1611a5b7f5b3cc---63786940443.pdfIn PDF document text
    • http://china-zub.ru/userfiles/file/logibuxugukow.pdfIn PDF document text
    • http://zangerlelaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/vosuladanusegulego.pdfIn PDF document text
    • http://hk-keber.de/images/file/wokojasotinixu.pdfIn PDF document text
    • http://maraulsan.com/ckfinder/userfiles/files/nejejudufokena.pdfIn PDF document text
    • http://kursadowicz.pl/Upload/file/43632499964.pdfIn PDF document text
    • http://friulanamarmi.it/images/file/38983615120.pdfIn PDF document text
    • https://daleel.global/wp-content/plugins/super-forms/uploads/php/files/ko8u1fbho97cacs3njo1p0kka7/54922024717.pdfIn PDF document text
    • https://aduanaldelvalle.com/userfiles/file/72357408973.pdfIn PDF document text
    • https://wavemed.it/wp-content/plugins/super-forms/uploads/php/files/87bad13249dae670c202c52611756333/3156879076.pdfIn PDF document text
    • https://backcountryplayground.com/wp-content/plugins/super-forms/uploads/php/files/01bd9d04ff07506d766a509ed8a0d287/36222342079.pdfIn PDF document text
    • https://thepetrichortouch.com/wp-content/plugins/super-forms/uploads/php/files/u3konvj55ire0mcsp4ba3vtq3f/98669865399.pdfIn PDF document text
    • http://aarogyamedico.com/userfiles/file/33150580631.pdfIn PDF document text
    • http://www.alex-vasilkov.ru/images/wisdom/file/22018256124.pdfIn PDF document text
    • http://creativeindustries.ru/uploads/userfiles/file/modozivozenafezixi.pdfIn PDF document text
    • http://daglichtfilters.nl/ckfinder/userfiles/files/pidajoxoderoveju.pdfIn PDF document text
    • http://tivatijapan.com/uploads/userfiles/file/suzukuwofokufujisasabep.pdfIn PDF document text
    • http://szentdorottyapatika.hu/files/zijuwerezuwuzexivuxagoj.pdfIn PDF document text
    • https://endoaccessories.com/wp-content/plugins/super-forms/uploads/php/files/fp41b4plnbpg6i8ff2gpdc8h0d/misediwezopipekokinaxu.pdfIn PDF document text
    • http://www.provinces.cmcgeneralate.org/files/js/ckfinder/userfiles/files/xuvojupodug.pdfIn PDF document text
    • https://ta-taiwan.com/app/webroot/userfiles/files/mobirije.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d84a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD84A 18284 bytes
SHA-256: 55ecc7d438ac9ea8b21fc80ce148b7641e307f60db5abb3b28ba353e4a7aca62