Malicious PDF — malware analysis report

Static analysis result for SHA-256 a4cf93acbd6fddf1…

MALICIOUS

PDF

70.6 KB Created: 2021-07-06 10:53:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 49c950aef3fa7182a0b573d76b3fa453 SHA-1: a0d79299627af86f6f01edbcf2e0601cb04a7f92 SHA-256: a4cf93acbd6fddf181190e82ff8ed626fb5be6eaf36adffbb4a0b2cbaf01af6d
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was identified as malicious by ClamAV and an ML classifier. It functions as a link farm, containing numerous URLs pointing to compromised WordPress installations. These links are likely intended to redirect users to phishing or malware distribution sites, a common tactic for initial access via spearphishing attachments.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5042

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://canadianrelocation.net/wp-content/plugins/formcraft/file-upload/server/content/files/16078af7f71262---57275991618.pdf
    • https://interesttour.com/wp-content/plugins/super-forms/uploads/php/files/a53f5825745afd92a83dd358604e1244/70123951173.pdf
    • https://www.lindopoint.it/wp-content/plugins/super-forms/uploads/php/files/1bcd33a773f1a47b2363e46a46d394a2/78073086367.pdf
    • https://seeandhearbetter.ie/img/shop//contents/62227057617.pdf
    • https://pmeds.us/userfiles/file/16435119686.pdf
    • https://autoskola-scp.com/files/82511978632.pdf
    • https://xn----7sbbjg7ctfs.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/232aff6790303a47cdd8de77e84d1c2e/nenagofomitudajozade.pdf
    • http://davidlbrooks.com/clients/868292/File/fokoduvuvelegovujekexifi.pdf
    • http://desagresbrts.com/clients/34568/File/10500978184.pdf
    • http://visualpaint.com/wp-content/plugins/formcraft/file-upload/server/content/files/16091b910132fc---22049539419.pdf
    • http://heilpraxis-pankow.de/wp-content/plugins/formcraft/file-upload/server/content/files/1606ccdea9b97c---50555606138.pdf
    • https://www.landalastadservice.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a63512e8ad0---jemeferofafetonese.pdf
    • https://hacunamatata.ru/wp-content/plugins/super-forms/uploads/php/files/762afe4235651f79d23cc8cb1edf040c/40429963300.pdf
    • http://tavernadelsnoguers.com/wp-content/plugins/super-forms/uploads/php/files/ecb80678250c2a741055204058818a3e/nanisovusixeboxalixotat.pdf
    • https://ferado.vn/userfiles/file/75625267001.pdf
    • http://bergfin.se/wp-content/plugins/formcraft/file-upload/server/content/files/1607a3f5a8e008---gupixo.pdf
    • https://www.webhisto.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160b467d0eed96---18512935879.pdf
    • http://dzbnf.com/upload/file///kegeresorufuxezekelaka.pdf
    • https://heritagelogs.com/wp-content/plugins/super-forms/uploads/php/files/20p714591kdhrken4ipggcm3ht/bizewogifanarimifodijas.pdf
    • https://personalloan2u.com/wp-content/plugins/super-forms/uploads/php/files/eacebef8029e1d57c4e56b1a8fb96833/populewapawudizodex.pdf
    • https://www.dazzlingdecor.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16084364922517---72698153054.pdf
    • http://cedresarquitectura.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609c525b3edb9---talimafadefagu.pdf
    • http://www.hotel-margherita.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607daf4f4d8d6---kivolegagebanepipuviw.pdf
    • https://autoteam.in/ckfinder/userfiles/files/89712012467.pdf
    • http://kaplanpm.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609b3f94c20ce---pofobuwixanufafit.pdf
    • http://colorfulmedia.de/fotki/fotki/file/boluru.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/6naE_Nh8_CY/uplcv?utm_term=bargain+and+sale+deed
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb09.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB09 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.