Malicious PDF — malware analysis report

Static analysis result for SHA-256 a9cc9f3d02db6c39…

MALICIOUS

PDF

71.2 KB Created: 2021-09-07 05:12:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: a1441bd7039ce48b86b56384aefe25f8 SHA-1: 219e4ae1a0c471d8cb7f183918a486eba4296187 SHA-256: a9cc9f3d02db6c39a32578cc95c123471363c78afa0c163b54b8b1146b10313f
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV, indicating it's a Pdf.Phishing.Trojan. Static analysis reveals it functions as a link farm, with numerous embedded URLs pointing to compromised CMS upload directories. These URLs likely serve as a distribution mechanism for further malicious content, potentially exploiting client-side vulnerabilities.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4326

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://endustriyelkiralama.com/wp-content/plugins/super-forms/uploads/php/files/bgldq3fuor90jqhhtojk1ec9jk/kibufofezexurisijogomiwa.pdf In PDF document text
    • https://cashmeredreams.com/wp-content/plugins/super-forms/uploads/php/files/92b55bf22cf1da4c294f19ab29730520/45257803161.pdfIn PDF document text
    • http://vita24h.com/uploads/userfiles/file/90203154478.pdfIn PDF document text
    • http://stark-tools.ru/images/uploaded/xezenaze.pdfIn PDF document text
    • https://sipsib.ru/wp-content/plugins/super-forms/uploads/php/files/5f24193e6d79b85810624dc5afcb21db/19063166629.pdfIn PDF document text
    • http://escolacaritas.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f33af38b36---93501341000.pdfIn PDF document text
    • https://sportli.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/1608828c2d1b40---955750373.pdfIn PDF document text
    • https://agroadvanced.com/app/webroot/newsletters/editor/files/sexatifakarakafubafu.pdfIn PDF document text
    • https://velvetskin.pl/wp-content/plugins/super-forms/uploads/php/files/5065a4f79a64dfa54e20640b8ea8007e/29962183827.pdfIn PDF document text
    • http://1carl.com/userfiles/file/nujafalipomere.pdfIn PDF document text
    • http://primaneighbors.com/userimages/52150372868.pdfIn PDF document text
    • http://www.temaricerca.com/entry2013new/admindia/ckfinder/userfiles/files/17130872938.pdfIn PDF document text
    • https://technok.cz/wp-content/plugins/super-forms/uploads/php/files/d681b5391c7cae6ec99e02beb55b8fda/torejojipidurerugagono.pdfIn PDF document text
    • http://www.cuerpomenteyespiritu.es/wp-content/plugins/formcraft/file-upload/server/content/files/1608e04c326f7e---99713973172.pdfIn PDF document text
    • https://nhaccugiare24h.com/uploads/userfiles/file/zirukupawapezidegunafajog.pdfIn PDF document text
    • https://mondoaudio.it/img/uploaded/file/98299920189.pdfIn PDF document text
    • https://tideandtigers.com/ckfinder/userfiles/files/61937557625.pdfIn PDF document text
    • http://boxethai38.com/upload/file/6631291157.pdfIn PDF document text
    • http://gelikonline.ru/content/Files/73646452849.pdfIn PDF document text
    • https://agatanorek.com/files/file/rajopadokile.pdfIn PDF document text
    • https://centrosteadycam.it/wp-content/plugins/super-forms/uploads/php/files/d47a833c6674bc23a3e43a357d831f62/89524629248.pdfIn PDF document text
    • http://royalgoodviewresort.com/Uploads/file/netixaw.pdfIn PDF document text
    • https://uaqbakery.com/wp-content/plugins/formcraft/file-upload/server/content/files/161314d0ac011e---zixidil.pdfIn PDF document text
    • http://diagonal.org.ar/wp-content/plugins/formcraft/file-upload/server/content/files/16078c2134f175---sexadowibasekame.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/YTWXjIUwRh0/uplcv?utm_term=english+arabic+calendar+2018+pdfPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cfdd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCFDD 15544 bytes
SHA-256: e24d59feae7bbc5a3ee9e315f19a809b62cfc182414a5b26e4ca6304cbd2671d
font_01_sfnt_off0000f7c7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF7C7 11304 bytes
SHA-256: 9fb17f4bdbeffcb7f80b491052a2e22d940e391eef7c514a9d38f422b818b4cc