Malicious PDF — malware analysis report

Static analysis result for SHA-256 a8be4a9bc2e66343…

MALICIOUS

PDF

69.3 KB Created: 2021-09-09 19:37:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: 1fc0abba273343628b8c0ea718fb76c3 SHA-1: 10912c866e028c9d44d5d43f30778873ea3c2093 SHA-256: a8be4a9bc2e663431539888bdca58d15d64c0d0fc0e11483bc1517f89629ff1c
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan threat. It contains numerous embedded URLs, many of which point to compromised websites or disposable hosting, suggesting a link farm designed to redirect users to malicious content. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' specifically highlights this behavior.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5522

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://peaceinsrilanka.lk/ckfinder/userfiles/files/wufik.pdf In PDF document text
    • https://www.sir.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16139ce93623b0---17891058664.pdfIn PDF document text
    • http://goodfortune.hk/UpLoadFile/file///84314842087.pdfIn PDF document text
    • http://littlepearlspublishing.in/data/eimages/file/metofafumu.pdfIn PDF document text
    • https://kokomanis.com/contents/files/78905504884.pdfIn PDF document text
    • http://vswet.ru/f/paxemifavumes.pdfIn PDF document text
    • http://israel-aliya.com/wp-content/plugins/super-forms/uploads/php/files/02c8d668bdc61354cf179b40f8acddc1/sawepuruxoxevavozoben.pdfIn PDF document text
    • http://www.pataniforum.com/admin/jquery/ckfinder/userfiles/files/lesoxudodejetijarowabatok.pdfIn PDF document text
    • https://perfecthospitals.com/FCKeditor/file/zixorusuliwidaxerupobisi.pdfIn PDF document text
    • http://restaurant-lyons.fr/userfiles/file/4637666963.pdfIn PDF document text
    • http://cdseoulps.com/uploadfile/fckeditor/file/85395753458.pdfIn PDF document text
    • https://burkina-businessschool.com/business_school/uploads/file/lejirepetemew.pdfIn PDF document text
    • http://zhuoxinlaw.com/userfiles/file/20210909065057_1096156757.pdfIn PDF document text
    • http://artikos.pl/userfiles/file/75432937388.pdfIn PDF document text
    • http://birizgardenhotel.com/userfiles/file/ronupuva.pdfIn PDF document text
    • http://polymer-optix.de/userfiles/file/48984643654.pdfIn PDF document text
    • http://oxigensupplies.com/shipinc/userfiles/files/28669916452.pdfIn PDF document text
    • http://locum-system.pl/userfiles/file/64439653578.pdfIn PDF document text
    • https://genia-groupe.fr/images/files/tofaketaxujirukemul.pdfIn PDF document text
    • https://www.brunosistemi.com/wp-content/plugins/formcraft/file-upload/server/content/files/16135774f0014a---vonove.pdfIn PDF document text
    • https://irisapp.cn/uploadfiles/fckeditor/20210905/file/16308175429557.pdfIn PDF document text
    • https://inprovitmexico.com/ckfinder/userfiles/files/begilarago.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/BvfzZFkJO3s/uplcv?utm_term=wallpaper+android+keren+hdPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dd27.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDD27 10308 bytes
SHA-256: b0990612707abaf965bfd03b370ff3617c100d7e96a9d2ff43eddb395246782a
font_01_sfnt_off0000f433.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF433 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1