Malicious PDF — malware analysis report

Static analysis result for SHA-256 a87a1c507c6ab31e…

MALICIOUS

PDF

70.5 KB Created: 2021-06-15 22:19:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-24
MD5: 62b351c51f10f7f6bfc22342d00ad3a7 SHA-1: 538b09a68babfcdcbe94189665e6b01a4b74b525 SHA-256: a87a1c507c6ab31e67046c5510c0d237cd70e31991ed7996cb3c1354be1af495
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous embedded URLs, many pointing to compromised WordPress upload directories or disposable hosting, suggesting a link farm used for phishing or malware distribution. The presence of external URI heuristics further supports the attempt to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9785

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://oniceh.ru/uplcv?utm_term=three+digit+addition+and+subtraction+with+regrouping PDF link annotation
    • http://www.ecostroyservis.ru/File/xojojowubap.pdfIn PDF document text
    • http://www.rlktechniek.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16087fdb942eb0---77226959543.pdfIn PDF document text
    • https://theemperorsoldclothes.co.uk/wp-content/plugins/super-forms/uploads/php/files/6v86lo3me1bq9vpp4kmr9b2v05/2201910922.pdfIn PDF document text
    • http://eksan-ltd.com/userfiles/file/93336412432.pdfIn PDF document text
    • http://yuanyoujie.vip/userfiles/file/kejusenefafepexazoxe.pdfIn PDF document text
    • https://amirep.com/wp-content/plugins/super-forms/uploads/php/files/098241f61d301074f7d7a14c9a9c2d4d/dodetituvajabowavakaf.pdfIn PDF document text
    • https://stagerightstaging.com/wp-content/plugins/super-forms/uploads/php/files/14e5f3103928ccff74293ff2f25be782/mobow.pdfIn PDF document text
    • http://multiseal.com.ph/wp-content/plugins/formcraft/file-upload/server/content/files/160c09282e31c2---43163386578.pdfIn PDF document text
    • https://gradeagroup.com/wp-content/plugins/super-forms/uploads/php/files/ktijv1if4pplc8he4p5jg5f43f/kofaxoritumigojatavej.pdfIn PDF document text
    • https://www.ideaklinikbursa.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d1e33b5946---kekug.pdfIn PDF document text
    • http://anonelectronics.com/admin/fckeditor/editor/filemanager/connectors/php/upload_jpg/file/202105290708198395.pdfIn PDF document text
    • http://lichnyiybrand.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160b4256381dbc---91275906292.pdfIn PDF document text
    • https://fullhousetourism.com/UploadFiles/file/20210525051241192.pdfIn PDF document text
    • https://mayurherbal.com/userfiles/file/jibudizekaf.pdfIn PDF document text
    • https://nikken-engineer.jp/export/sd205/www/jp/r/e/gmoserver/8/6/sd0748886/nikken-engineer.jp/fckeditor/upload/file/2970677676.pdfIn PDF document text
    • https://aartipalette.com/userfiles/file/43223566874.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e55b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE55B 5484 bytes
SHA-256: a5e256513d783689b9201323c0faf18033dcbab383e9adda1d018fe6e31e50d4
font_01_sfnt_off0000f80a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF80A 11280 bytes
SHA-256: 827632d8e44ce6e3795d0cbafa1dbb0e1b1f17f441801a524553f7e406844099

Open this report in the interactive analyzer, or submit your own file for analysis.