Malicious PDF — malware analysis report

Static analysis result for SHA-256 a9cae7c542894316…

MALICIOUS

PDF

63.5 KB Created: 2021-05-26 03:35:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cba988ca04c53d7ee82edd741311fd0b SHA-1: 769e980dbedd55ae2b3facf70c3012cb51b1fdd0 SHA-256: a9cae7c542894316a84fd22735a78f3079130ebe0a7ba6b494e7cb9e65688da3
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous links to compromised WordPress sites and disposable hosting, suggesting it functions as a link farm or phishing lure. The embedded URLs and the document body, which mimics a search result, are designed to redirect users to potentially harmful external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9959

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://oniceh.ru/uplcv?utm_term=what+is+an+example+of+a+literary+foil
    • http://call.ae/wp-content/plugins/formcraft/file-upload/server/content/files/1607df52d658bb---37693159304.pdf
    • https://www.mixedclass.com.au/wp-content/plugins/super-forms/uploads/php/files/aiibgsjeudjcvo7hkcp0uhqi2l/41599266692.pdf
    • https://cashofferoregon.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087ad329d0b8---53942183784.pdf
    • https://adbetelparaguay.com/wp-content/plugins/super-forms/uploads/php/files/142da88edbc90b3c8b70073814cd5374/11239277761.pdf
    • http://witnesstherealist.com/wp-content/plugins/super-forms/uploads/php/files/c92adbddb5d877549b4adc1fbf2738ea/suzikazipon.pdf
    • http://thanhlamresort.vn/wp-content/plugins/formcraft/file-upload/server/content/files/160a2f21499610---judusotomeselej.pdf
    • http://www.iamgoingto1996.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609b09a8bcb64---4474415979.pdf
    • http://humanitool.ru/userfiles/file/bonuxeweniduvonobivos.pdf
    • https://tkpmission.org/wp-content/plugins/formcraft/file-upload/server/content/files/16084d411ec409---1486819039.pdf
    • https://skazkavdom.com/wp-content/plugins/super-forms/uploads/php/files/9f868e87dbcd5e54e4d3dc380a9d865c/93507477941.pdf
    • https://ohligschlaeger-berger.de/wp-content/plugins/formcraft/file-upload/server/content/files/160a6924f7dd91---82248655694.pdf
    • https://realestateconnect.us/wp-content/plugins/super-forms/uploads/php/files/9hmkkv4i5rk34rbm8l8pcc6o54/logatefovej.pdf
    • http://purpledoorchurch.com/wp-content/plugins/formcraft/file-upload/server/content/files/160705b1ed682c---zavanolesupudonanam.pdf
    • https://wills.sg/wp-content/plugins/super-forms/uploads/php/files/185091a87649e7269ba7e148b335b19c/9402672121.pdf
    • https://rebel-guitars.com/wp-content/plugins/super-forms/uploads/php/files/17073b2a562556f64520b804b7965466/28483063926.pdf
    • https://www.thecandystoresudbury.com/wp-content/plugins/super-forms/uploads/php/files/apu345shiulsvq055qudvgvhba/2071458565.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dcde.bin
5890c3f37e4701fc2efc5533df635e278fdab989678e9c796f53d702ec50dabd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDCDE 5324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.