Malicious PDF — malware analysis report

Static analysis result for SHA-256 a807ace610fbeb48…

MALICIOUS

PDF

72.7 KB Created: 2021-09-04 15:50:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: 0394253d47a4679cc471a761f24819d6 SHA-1: ddb3fc44115dcdfe44cc745be7e745c014f4b05b SHA-256: a807ace610fbeb489682392778e4332803d1420409cfc4fc8d15381417679df6
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It functions as a link farm, with numerous embedded URLs pointing to various websites, including those hosted on compromised WordPress installations. The presence of 'utm_term' parameters suggests a phishing or SEO manipulation tactic to lure users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8434

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crysiq.ru/uplcv?utm_term=libro+de+entrenamiento+canino+pdf PDF link annotation
    • https://primax.fr/wp-content/plugins/super-forms/uploads/php/files/nhcpbplvdiukd1ukjjhtgqndh2/zerigo.pdfIn PDF document text
    • http://zawayakw.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609af3894b3b1---volametemazepupese.pdfIn PDF document text
    • http://haki.vn/uploads/files/notalaluse.pdfIn PDF document text
    • https://www.ikedatosou.com/wp-content/plugins/formcraft/file-upload/server/content/files/16103c42e3cb11---25910697231.pdfIn PDF document text
    • https://www.pferde-fuer-unsere-kinder.de/wp-content/plugins/formcraft/file-upload/server/content/files/160c2e831d77ca---20080269715.pdfIn PDF document text
    • https://misionesmedellin2030.com/wp-content/plugins/super-forms/uploads/php/files/6d6o67rbu4irlkmuv3f1s21p4n/nulimano.pdfIn PDF document text
    • http://permianhighschool1970.com/clients/e/ef/efee9fcbc667252fc4b649c8163d3733/File/35832452598.pdfIn PDF document text
    • https://beautydiction.com/ckfinder/userfiles/files/rexamulitewot.pdfIn PDF document text
    • https://aksukartela.com/images_upload/files/45688879.pdfIn PDF document text
    • http://przychodnia-felinskiego.pl/uploads/editor/file/mapudino.pdfIn PDF document text
    • http://hayatteknoloji.com/webimage/file/66167802030.pdfIn PDF document text
    • http://hqshop24.com/userfiles/file/jisamimuxamuxabadek.pdfIn PDF document text
    • http://i-daa-wl.de/userfiles/90319633561.pdfIn PDF document text
    • http://dkyangmei.com/uploadfile/file/2021070519124073499.pdfIn PDF document text
    • http://vzwsportenmuziek.com/content_docs/9420603569.pdfIn PDF document text
    • https://www.citysecurity.org.uk/wp-content/plugins/super-forms/uploads/php/files/meaee5ld17lmqp9he92kl25uf8/96990948105.pdfIn PDF document text
    • https://y3stwk65l-mn9.com/contents/files/wozikepiranowefefedija.pdfIn PDF document text
    • https://cullinanconstruction.com/wp-content/plugins/super-forms/uploads/php/files/p0du1mq7pj4v3j3dhfo1g2j25i/sivemadiludapal.pdfIn PDF document text
    • https://wccia-vastu.com/wp-content/plugins/super-forms/uploads/php/files/d4e8627fe82adb9cc5464be7a28695af/vifoferataxovumuravo.pdfIn PDF document text
    • http://asahiru-ban.com/files/files/44738408304.pdfIn PDF document text
    • http://perchegouet.com/ckfinder/userfiles/files/gawati.pdfIn PDF document text
    • http://www.rolstoellift.com/wp-content/plugins/formcraft/file-upload/server/content/files/160afc4bfe97ce---88213454124.pdfIn PDF document text
    • https://www.cir.cloud/wp-content/plugins/formcraft/file-upload/server/content/files/1610ab60d5cece---52104842181.pdfIn PDF document text
    • https://notofthisgalaxy.com/wp-content/plugins/super-forms/uploads/php/files/ijiurkil0a5ujdg78h57m4op13/88540105021.pdfIn PDF document text
    • http://antwerp-rentals.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b77b4a6d5de---xevivelinumafenejuxibazu.pdfIn PDF document text
    • https://www.costaverde.it/wp-content/plugins/formcraft/file-upload/server/content/files/1607e55455c245---xomiziwozelu.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e60d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE60D 10664 bytes
SHA-256: ad4757ad27935251f80a0df00b1c64c9728edaff79f51a4a54d3204659662cd4