Malicious PDF — malware analysis report

Static analysis result for SHA-256 a971b7e8f56b1ff7…

MALICIOUS

PDF

441.2 KB Created: 2021-08-15 01:08:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: 1f617e70f4f5e35146f7899ddf55a95a SHA-1: a123523cd516a5ed2dc1a32cb9046cef3d85ca9e SHA-256: a971b7e8f56b1ff75b4a973aa1bb362886973bd9f4adb469707027d911e387ae
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple links pointing to compromised WordPress upload directories, suggesting it's part of a phishing campaign to distribute further malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent. No scripts were extracted, but the presence of numerous malicious URLs implies a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6924

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://drive4smilesontario.com/clients/e/ed/ed023a0734c265ca673a92d1d81de675/File/50583336777.pdf In PDF document text
    • http://www.whirlpool-beachcomber.at/wp-content/plugins/formcraft/file-upload/server/content/files/1606cab9809d6f---99481442176.pdfIn PDF document text
    • https://profbuhotchet.ru/wp-content/plugins/super-forms/uploads/php/files/fdebe12909f27bebca9814ea246dc86c/lumitofijudunugupupexunu.pdfIn PDF document text
    • https://chuyennhakienvangvn.net/upload/files/xakoxateninipotogelel.pdfIn PDF document text
    • https://coachtourbusrental.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607991c5d9519---wujiguwupinimir.pdfIn PDF document text
    • http://www.pirac.org/wp-content/plugins/super-forms/uploads/php/files/061251abc060a342540d394ca4de9dbb/wufofavutixaniruvames.pdfIn PDF document text
    • https://harpethvalleypto.org/wp-content/plugins/super-forms/uploads/php/files/2f25fbff3643eec881254dcbda577dbb/jimig.pdfIn PDF document text
    • https://www.perfumista.co.uk/wp-content/plugins/super-forms/uploads/php/files/8702037585a70f6c594beeb261123f72/95135622372.pdfIn PDF document text
    • http://asianmosaicnyc.com/userfiles/file/pekamerixodugo.pdfIn PDF document text
    • https://whiteelephant.co.in/wp-content/plugins/super-forms/uploads/php/files/e22d5aa0ee7feca002c8199bfac63971/tiwazebefif.pdfIn PDF document text
    • http://clair-environnement.eu/catalogue_dynamique/file/pozesijowo.pdfIn PDF document text
    • https://backcountryplayground.com/wp-content/plugins/super-forms/uploads/php/files/90c9bbe82d7fe0ccce17afc6cc2e8a0a/xezibelirirogav.pdfIn PDF document text
    • http://localhomesales.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160a8dfe15a810---gatonozasesoxe.pdfIn PDF document text
    • https://maloneslandscape.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a866b8ad8c0---62316684933.pdfIn PDF document text
    • http://vegasoft.hr/wp-content/plugins/formcraft/file-upload/server/content/files/1606cb088e51f6---37287492971.pdfIn PDF document text
    • https://debcopharma.com/userfiles/file/46908246954.pdfIn PDF document text
    • http://norilskgu.ru/userfiles/file/45123856543.pdfIn PDF document text
    • http://hydrem.ru/images/file/91532261420.pdfIn PDF document text
    • https://tcufroghouses.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bb15faa8e4a---gutifikikevobor.pdfIn PDF document text
    • http://magicdiscoradio.hu/userfiles/file/wajaz.pdfIn PDF document text
    • https://hartwellcook.com/wp-content/plugins/super-forms/uploads/php/files/5a2a4475d708c74e19efe60e92189c8a/bamisuzezakupujadogidijo.pdfIn PDF document text
    • https://3dreamstudios.com/wp-content/plugins/super-forms/uploads/php/files/39112ec1834d05057966bd0a3b4c00c2/mumukosezev.pdfIn PDF document text
    • https://www.cir.cloud/wp-content/plugins/formcraft/file-upload/server/content/files/160776eebeef21---52152113218.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/LPIa9PGmDLg/uplcv?utm_term=mutants+and+masterminds+3rd+edition+gadget+guide+pdf+downloadPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0006a4f6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6A4F6 11192 bytes
SHA-256: 3ed4c4967242c86a8ffa6c47a24d3e656c2bdd41de7bec539a95dc924b791a9f

Open this report in the interactive analyzer, or submit your own file for analysis.