Malicious PDF — malware analysis report

Static analysis result for SHA-256 a7bfff2f6a8c012b…

MALICIOUS

PDF

80.0 KB Created: 2021-10-05 10:04:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-25
MD5: dc028d9bad360b3a4665a01544bf9993 SHA-1: b0082aff998f97338504968deb8d8abd5aae48a2 SHA-256: a7bfff2f6a8c012b5a2ebdd4594e673936500b8694cca4aca00d19a61978615b
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as a malicious PDF by ClamAV. Static analysis reveals it contains numerous external URLs, many pointing to compromised CMS upload directories or disposable hosting, suggesting a link farm designed to redirect users to potentially malicious content. The presence of embedded URLs and the nature of the heuristic firings indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4490

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://drafthe.ru/uplcv?utm_term=if+you+have+a+pinched+nerve+in+your+neck PDF link annotation
    • https://soechi.net/userfiles/file/39220300279.pdfIn PDF document text
    • http://grgct.com/ckfinder/userfiles/files/zuvazajaseto.pdfIn PDF document text
    • https://grandegroup.net/files/gusuxarewamew.pdfIn PDF document text
    • http://fusheng-vietnam.vn/admin/webroot/upload/image/files/80229661198.pdfIn PDF document text
    • http://centroolosprato.it/userfiles/files/liwupevodovotudane.pdfIn PDF document text
    • http://www.yankey.com.tw/demo/public/editor/ckfinder/upload/user_upload/files/28624027308.pdfIn PDF document text
    • https://e-casainteligenta.ro/userfiles/file/nizizokogiwemixomin.pdfIn PDF document text
    • http://www.uvhk.com/wp-content/plugins/formcraft/file-upload/server/content/files/161411bf518fd6---90444710320.pdfIn PDF document text
    • https://pyhm.ca/wp-content/plugins/super-forms/uploads/php/files/7flo7a09bnnco0jatgnvgvrksp/71290156078.pdfIn PDF document text
    • http://soepcentrale-dekeyser.be/userfiles/file/dafuzujasidarubalilubugav.pdfIn PDF document text
    • https://akdenizokullari.k12.tr/wp-content/plugins/super-forms/uploads/php/files/upd6k9s9qn65df55q6hhrjqrgk/58974899159.pdfIn PDF document text
    • http://tuzy.pl/Upload/file/63662526990.pdfIn PDF document text
    • http://limpiasol.com/wp-content/plugins/formcraft/file-upload/server/content/files/161536c11ef546---pabetuver.pdfIn PDF document text
    • https://metroguards.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1613bf9669249f---39513359341.pdfIn PDF document text
    • http://conservationenergy.com/wp-content/plugins/formcraft/file-upload/server/content/files/16156cde81e4d7---62937797540.pdfIn PDF document text
    • https://rhythmcprandfirstaid.com/wp-content/plugins/super-forms/uploads/php/files/698795f2d6fb69918522e84732f8d370/15327475876.pdfIn PDF document text
    • https://jasz-pap.hu/UserFiles/file/dozevu.pdfIn PDF document text
    • http://ticketsperiodico.com/galeria/files/daruwonivukupuwoxunobik.pdfIn PDF document text
    • https://newoptic.sas-global.mn/uploads/files/11961366786.pdfIn PDF document text
    • https://infotechsystemsonline.com/ital/www/img/file/46907758093.pdfIn PDF document text
    • https://hgindustrial.eu/userfiles/files/pojezalogubika.pdfIn PDF document text
    • https://mandarinusa.com/userfiles/file/1631755104.pdfIn PDF document text
    • https://stewsites.com/wp-content/plugins/super-forms/uploads/php/files/01b6d6bac06f28d780990347894ffaaa/lakiziwegafamupolamepume.pdfIn PDF document text
    • http://jsjxh.org/filespath/files/20210914024740.pdfIn PDF document text
    • http://yibetter.com/data/files/68685636032.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e2d7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE2D7 18676 bytes
SHA-256: 4bbfb3328a36641a87dbd9a5e23cf9f4ccb9ec65c6f2a1cb140e9114170616dd
font_01_sfnt_off0001136c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1136C 10728 bytes
SHA-256: c57d5a4c29cf7655dd3069db35b231e738070884d1091b2f406336919dbe7dd9
font_02_sfnt_off00012c06.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12C06 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1