Malicious PDF — malware analysis report

Static analysis result for SHA-256 a2c1d65c3ccb4aaa…

MALICIOUS

PDF

62.5 KB Created: 2021-06-25 09:44:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 69c91afd599310ca6a027da2080d1cbb SHA-1: 7387aa5a3124a9a2305355ca9cdc83a5e7d270fa SHA-256: a2c1d65c3ccb4aaad70dd43c4072eb7799e0b76b17b82d32e51a107202e173f2
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a link farm hosted on compromised WordPress sites, directing users to download files. The presence of multiple PDF_SEO_DISPOSABLE_LINK_FARM and PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM heuristics, along with ClamAV detection as Pdf.Phishing.Trojan, strongly indicates a phishing or malware distribution attempt. The document body, though heavily obfuscated, contains references to 'windows photo viewer download' and 'wkhtmltopdf', suggesting a lure for software downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8124

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://tripleccompanies.com/wp-content/plugins/super-forms/uploads/php/files/30bfcbb81ac83db088044c188926e80d/zuwazejonuwemefur.pdf In PDF document text
    • http://www.vitrierbxl.be/wp-content/plugins/formcraft/file-upload/server/content/files/1606ca92b8271f---38110994633.pdfIn PDF document text
    • http://www.dnevi-sekretarjev.eu/wp-content/plugins/formcraft/file-upload/server/content/files/1609927598171a---tuteguxomiz.pdfIn PDF document text
    • https://alenakovalchuk.ru/wp-content/plugins/super-forms/uploads/php/files/cefc3ab50777549010e5fcd3ae6e62cc/4649127952.pdfIn PDF document text
    • http://a2itsolutions.com/chop/multimedia/userfiles/file/fisipegusad.pdfIn PDF document text
    • http://toddfamilyreunion.com/clients/4/48/482e924d5a052aa4a0c13eb8a30e0bc8/File/80256737711.pdfIn PDF document text
    • https://grahampropertytax.com/wp-content/plugins/super-forms/uploads/php/files/7a4d464a4b76847e5730d705678d3da6/kararutumesapawezivej.pdfIn PDF document text
    • http://berallebags.com/UploadFiles/FCKeditor/20210510165439.pdfIn PDF document text
    • http://brighterhealthcare.co.uk/wp-content/plugins/super-forms/uploads/php/files/181e3c4521q09tod2pbnhqj9dp/66802577631.pdfIn PDF document text
    • http://hitecds.com/userfiles/file/lexedamag.pdfIn PDF document text
    • http://www.britocunhaadvocacia.com.br/home/wp-content/plugins/formcraft/file-upload/server/content/files/1607dfb1c302ab---47034065611.pdfIn PDF document text
    • http://macautemple.com/userfiles/file/tolewexusowa.pdfIn PDF document text
    • http://www.viksexteriors.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c8bde6d26c5---47586116351.pdfIn PDF document text
    • https://alianzatours.com/imagenes/file/12611257536.pdfIn PDF document text
    • http://bertoniamministrazione.it/bertoni/public/file/zulotepopidaferuvebijijez.pdfIn PDF document text
    • https://olympicwroclaw.pl/zdjecia/fck/file/5599550650.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/cv9VXjIrmdE/uplcv?utm_term=windows+photo+viewer+download+windows+8.1+64+bitPDF link annotation
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dd8c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDD8C 5872 bytes
SHA-256: 4c1cd806ab4db31c3d56aa072114ac59b51682283006200620e12d58e9ca610b