Malicious PDF — malware analysis report

Static analysis result for SHA-256 a7d792899a882599…

MALICIOUS

PDF

70.6 KB Created: 2021-06-17 20:25:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-11
MD5: 33132bca5aa65388199a9d3cded61494 SHA-1: d7c242cb0bdb2156a080657fe75b31905c3489d9 SHA-256: a7d792899a882599c2ec5db4d3cd92a598ea9e83c15815126fade710bc035789
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan threat. It contains a link farm pointing to compromised CMS upload storage and disposable hosting, with one URL specifically mentioning 'idm latest full version with crack', suggesting a software piracy lure. Although no scripts were explicitly extracted, the PDF structure and heuristic firings suggest it's designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8260

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://saltokisport.com/uploads/files/basarutemevaxifeju.pdf In PDF document text
    • https://kamber.dk/wp-content/plugins/super-forms/uploads/php/files/6b970ab85edcf8d382a732b332bc74f3/19934845711.pdfIn PDF document text
    • http://graphicon.hu/wp-content/plugins/formcraft/file-upload/server/content/files/160a93201c9189---dosedagonoguvifufo.pdfIn PDF document text
    • https://fjordancv.info/wp-content/plugins/super-forms/uploads/php/files/ec6e813d1d39a4bfb953199de1c490d3/10018733867.pdfIn PDF document text
    • http://nd-58.ru/wp-content/plugins/super-forms/uploads/php/files/96ece9d25407c15dec76ecd913a8747a/927417122.pdfIn PDF document text
    • http://apexhealthnutrition.com/newerac2c/userfiles/file/16138088273.pdfIn PDF document text
    • http://j1medical.com/uploaded/file/wurabuwodozivusuka.pdfIn PDF document text
    • http://furkansigorta.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160c401f70c52e---45995038639.pdfIn PDF document text
    • https://travels-ukraine.com/wp-content/plugins/formcraft/file-upload/server/content/files/160769aca1b07d---mabogaziperopofukirirobe.pdfIn PDF document text
    • https://www.hintonassociates.com/wp-content/plugins/super-forms/uploads/php/files/19ba40a048bb8efd8df9d10e30d6c085/weriviwolora.pdfIn PDF document text
    • http://slowjamsundays.com/wp-content/plugins/formcraft/file-upload/server/content/files/16071938e526b7---xenepinazagores.pdfIn PDF document text
    • http://www.canadiantreasurer.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b0fcfd1138b---58968373439.pdfIn PDF document text
    • https://ventana-sur.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087d1ab9e68a.pdfIn PDF document text
    • https://goldengrowers.com/wp-content/plugins/super-forms/uploads/php/files/bbf4a300316713e6be50a01e73d8c33d/guruxajovizazejas.pdfIn PDF document text
    • https://puertoestereo.com/wp-content/plugins/super-forms/uploads/php/files/1visa0c2uhvsu8e50f20160j6q/29101480222.pdfIn PDF document text
    • http://www.pianoszimmermann.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1608f65891a23c---julajamovisiga.pdfIn PDF document text
    • https://balajitutorial.com/admin/userfiles/file/vemarodosewixi.pdfIn PDF document text
    • http://brainbond.ro/userfiles/file/tonupi.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/3vuEKuznOb8/uplcv?utm_term=idm+latest+full+version+with+crackPDF link annotation
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010d7e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10D7E 5296 bytes
SHA-256: 4d2913f5fe3a7faf7bf47fdc2801033ba5edea6b520e6d4dda7ac3b0bee86129

Open this report in the interactive analyzer, or submit your own file for analysis.