Malicious PDF — malware analysis report

Static analysis result for SHA-256 a37fcaca5c4e146a…

MALICIOUS

PDF

70.2 KB Created: 2021-06-06 10:25:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-11
MD5: 0c7c4ab0ce239dcf64f8b31ebc03d2db SHA-1: c185e9fcee7647670563934e850c24ee0f6d3172 SHA-256: a37fcaca5c4e146a4d63161e390a4b0d4b2edb5b2c9ccd2158859e253383750d
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was detected as malicious by ClamAV and ML classifiers, indicating a phishing or trojan threat. It contains numerous links, many pointing to compromised WordPress upload directories, suggesting a link farm designed to distribute malicious content. The embedded URLs, such as 'https://coretry.ru/uplcv?utm_term=imagenomic+portraiture+2.3+3+plugin+serial+number', are likely part of a lure to trick users into downloading malware disguised as software utilities.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9678

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://coretry.ru/uplcv?utm_term=imagenomic+portraiture+2.3+3+plugin+serial+number PDF link annotation
    • http://melissajacksonmd.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d28f9dc9ed---sepidawima.pdfIn PDF document text
    • http://www.barankayalar.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160a8908ce1c01---kimalituvaxitowe.pdfIn PDF document text
    • http://www.hj-bouwt.be/wp-content/plugins/formcraft/file-upload/server/content/files/160a4bf43ed73d---90496104173.pdfIn PDF document text
    • http://3duct.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b70c483614d---feduveledawadepoji.pdfIn PDF document text
    • http://www.nbrownies.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160915117cfdd8---wafuvibukijasijaru.pdfIn PDF document text
    • https://www.psalighting.com/wp-content/plugins/super-forms/uploads/php/files/b85b43bc19b6cf48a15ad02ae360030a/sogunibawaregi.pdfIn PDF document text
    • https://deconkhoemanh.com/wp-content/plugins/super-forms/uploads/php/files/oge3s4krh9c4raknmfefhpvgij/dafelapokojowuzikapavomo.pdfIn PDF document text
    • http://classtool.info/upload/files/gipexi.pdfIn PDF document text
    • https://opsclown.it/ckfinder/userfiles/files/tagoxiwukitiko.pdfIn PDF document text
    • http://davisfolk.net/clients/1/1f/1f1070e31f35868a9a13f38ee7dc887f/File/besat.pdfIn PDF document text
    • https://sandalyecenneti.com/wp-content/plugins/super-forms/uploads/php/files/dnkf1bqtidj150eqra34kcjqnp/84455708668.pdfIn PDF document text
    • http://domeinbeverdonk.be/assets/files/file/nosamipudixokebifikasido.pdfIn PDF document text
    • http://alvasari.com/wp-content/plugins/formcraft/file-upload/server/content/files/16078c723e7e4a---23070404834.pdfIn PDF document text
    • http://firmykominkowe.pl/Obrazki/edytor/file/sudesixumagodij.pdfIn PDF document text
    • https://sieuviet.net/webroot/img/files/bogomosifer.pdfIn PDF document text
    • http://www.kissdocs.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1609b1176915ca---24681448476.pdfIn PDF document text
    • http://www.sunarozlem.com.tr/wp-content/plugins/super-forms/uploads/php/files/q49edigttiiud8rgkf4m7eijo4/22831082239.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e9c2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE9C2 5660 bytes
SHA-256: 513e2ae30566278e47e63fe66e7e977a82af021a81b5b183c5b0af2118724d80

Open this report in the interactive analyzer, or submit your own file for analysis.