Malicious PDF — malware analysis report

Static analysis result for SHA-256 a3f21c1d454234de…

MALICIOUS

PDF

72.1 KB Created: 2021-06-25 19:29:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: fc9c69b68708dc15da8a11f1e08a506d SHA-1: 41b7d2b9f6445b2f1d85019b6b156b84b8c623e2 SHA-256: a3f21c1d454234de19ff751bd765b0be05587017dd9be225f16afe32735c1eca
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links pointing to compromised websites, indicating a phishing or malware distribution attempt. The ClamAV detection and ML classifier strongly suggest malicious intent. The file's structure as a link farm on potentially disposable hosting further supports this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6366

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://synerhu.ru/uplcv?utm_term=jaw+clenched+at+night PDF link annotation
    • http://ganan10.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/1608d6bae99ed0---sawubotonorewive.pdfIn PDF document text
    • https://neoville.ru/wp-content/plugins/super-forms/uploads/php/files/457c1467b4546948dde60ad1388e8167/vagoxigowoladigonovid.pdfIn PDF document text
    • https://stdtekstil.com/upload/ckfinder/files/20995461888.pdfIn PDF document text
    • https://www.projectorrentals.com/wp-content/plugins/formcraft/file-upload/server/content/files/160817739267d7---54155063339.pdfIn PDF document text
    • https://limpjet.com.br/wp-content/plugins/super-forms/uploads/php/files/3d5d8e16d00d221041d55a196130fa72/49860673899.pdfIn PDF document text
    • http://www.catalogodecineargentino.com/wp-content/plugins/formcraft/file-upload/server/content/files/16076fe2a8c9f5---zozusogijometeku.pdfIn PDF document text
    • http://xn--e1aazeoc7d.xn--p1ai/images/shared/file/1055239597.pdfIn PDF document text
    • https://amerismithenterprises.com/wp-content/plugins/super-forms/uploads/php/files/cf1e5c69eb0c682fa84b134ea7423ae3/rodarenadisekapa.pdfIn PDF document text
    • https://yourtuscanyguide.com/wp-content/plugins/super-forms/uploads/php/files/l4nqgklefohjfvj3l9cba4nsp3/jufidotemimewe.pdfIn PDF document text
    • https://travels-ukraine.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607dd4a378ef9---13573010563.pdfIn PDF document text
    • http://engroupe.ca/aym_image/files/bitifivitogozafozejurefe.pdfIn PDF document text
    • https://tecnibat.net/uploads/archivos/39288783761.pdfIn PDF document text
    • https://desertflying.club/wp-content/plugins/formcraft/file-upload/server/content/files/16084f0cb19b9d---bimimibedogeko.pdfIn PDF document text
    • https://miaousland.fr/ckfinder/userfiles/files/xabevof.pdfIn PDF document text
    • https://expresstestingatl.com/wp-content/plugins/super-forms/uploads/php/files/5698cc5fd9327a5caf68c63e23c78476/viwasoxusobudanokeminu.pdfIn PDF document text
    • http://shuimotongyuan.com/userfiles/file/36190555931.pdfIn PDF document text
    • https://transcendenceit.com/wp-content/plugins/super-forms/uploads/php/files/9d58dd4bd13f0e1def021300b4c4b3c7/kideladazof.pdfIn PDF document text
    • https://www.elektrobetrieb-scholz.de/wp-content/plugins/formcraft/file-upload/server/content/files/1606ca23337d9c---tatuvibodamivope.pdfIn PDF document text
    • https://harpethvalleyhealth.com/wp-content/plugins/super-forms/uploads/php/files/04eb96df16a1acc7751a1f050a809168/mejofufizewafed.pdfIn PDF document text
    • http://bobiniauto.com/userfiles/file/42349828244.pdfIn PDF document text
    • http://pocatellocampfire.com/wp-content/plugins/super-forms/uploads/php/files/4rm3a8hbmvnsmfub0tppdu00g7/tejijajadikafofar.pdfIn PDF document text
    • http://www.ddd-iasi.ro/wp-content/plugins/formcraft/file-upload/server/content/files/16087b604c0795---62512200907.pdfIn PDF document text
    • https://www.anandtirth.com/wp-content/plugins/super-forms/uploads/php/files/hl0aoskbri1b4k3trjmf71cgr3/tixufefufep.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ebf6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEBF6 10340 bytes
SHA-256: 62bc36313c3d8a4c7a7c1e857fff8fa6fc56e8998c533d619832ec50ed05c237