Malicious PDF — malware analysis report

Static analysis result for SHA-256 a2aeeb8482ff0374…

MALICIOUS

PDF

76.5 KB Created: 2021-09-02 12:01:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14
MD5: 7e012654712a80c536a1ecf689463e6f SHA-1: 8f35b1c5841f111897fe13bdf1b3b81d727bd3f4 SHA-256: a2aeeb8482ff037427b52d44db99dd6b11d1700677dbc69d012a1deb1ace1476
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file contains a large number of external links, many of which point to compromised WordPress sites or disposable hosting. The ClamAV detection indicates it is a phishing or trojan delivery mechanism. The file's primary function appears to be acting as a link farm to distribute malicious content or phish users.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4750

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nomylo.ru/uplcv?utm_term=tess+gerritsen+ice+cold+pdf PDF link annotation
    • https://thepetrichortouch.com/wp-content/plugins/super-forms/uploads/php/files/3n5l378rpka3627ftkfggf9uro/mojabezabutojetopemezizub.pdfIn PDF document text
    • https://blackknowledge.com/wp-content/plugins/super-forms/uploads/php/files/abfbeb262e841451ddcc3592dfafd7d2/97131634466.pdfIn PDF document text
    • https://t2sc.me/userfiles/lekepazibadawusuwininazo.pdfIn PDF document text
    • http://poledance-chrudim.cz/files/file/jasoxomotimuveb.pdfIn PDF document text
    • https://nissanzorba.ro/ckeditor/ckfinder/userfiles/files/97756097160.pdfIn PDF document text
    • https://www.alongsideasia.com/wp-content/plugins/super-forms/uploads/php/files/1108c7c6663c5ae1544964471f8a9972/87606780382.pdfIn PDF document text
    • http://fitnessklub-impuls.pl/uploads/assets/file/13016889059.pdfIn PDF document text
    • http://udmvdpo.ru/images/files/41872158231.pdfIn PDF document text
    • https://annjulieskarpmo.com/userfiles/file/2830905754.pdfIn PDF document text
    • http://hakkabrothers.com/userfiles/file///67048129255.pdfIn PDF document text
    • https://www.escon.it/wp-content/plugins/super-forms/uploads/php/files/ae71364e2c1be7c09714c37fac93210a/58753252743.pdfIn PDF document text
    • https://habibitours.net/ckfinder/userfiles/files/1382776186.pdfIn PDF document text
    • http://stkvn.ru/wp-content/plugins/super-forms/uploads/php/files/f1ed6bcd34e54ef88aa41a2bab3a5819/vavokugezapuzomuw.pdfIn PDF document text
    • http://dalnoboy.net/data/filestorage/upload/files/25102894215.pdfIn PDF document text
    • http://www.mariabeckmann.com/fotos/uploads/files/fetobosinutinetaxe.pdfIn PDF document text
    • http://www.thebetterinsurance.com/wp-content/plugins/formcraft/file-upload/server/content/files/16092bfd671570---furipuwur.pdfIn PDF document text
    • https://stalbeckers.nl/userfiles/image/file/60629821047.pdfIn PDF document text
    • http://bluefield1966.com/clients/26642/File/sisibelusidikifu.pdfIn PDF document text
    • http://wallacewilliamsfamilyreunion.net/clients/6/66/662ca4338cd1fa41fa93b88222973dc6/File/43557109414.pdfIn PDF document text
    • http://bhhangkhong.com/upload/images/files/69842088704.pdfIn PDF document text
    • https://leicht-spb.ru/wp-content/plugins/super-forms/uploads/php/files/9810b98c30a3a3564a605af744d5a92d/sexobumosowa.pdfIn PDF document text
    • http://tayles.com/uploaded/toxez.pdfIn PDF document text
    • http://zonweringbelgie.nl/ckfinder/userfiles/files/38577613572.pdfIn PDF document text
    • http://luckyassessoria.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1612e925344fdc---vekubifugokop.pdfIn PDF document text
    • https://akdenizokullari.k12.tr/wp-content/plugins/super-forms/uploads/php/files/h7jopnecdoh19li21f6qao6mq4/jeworuwa.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001001c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1001C 10596 bytes
SHA-256: 92b4a325972084997aa2796dec1e06feb28d617d9194efea2d877086e913b3a0
font_01_sfnt_off00011833.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11833 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.