Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa8cc75e2cf69ad6…

MALICIOUS

PDF

77.9 KB Created: 2021-11-01 06:57:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-24
MD5: 32c52e57977ce2bef1e7e8036be5d9e6 SHA-1: 97623b493a26e1fc2c106cdcceb22587e205b35b SHA-256: aa8cc75e2cf69ad68d995a762e25f3961b2e6d14c6f46e6503dd7c7f7f2b5710
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file was detected by ClamAV as Pdf.Phishing.Trojan. Static analysis revealed it functions as a link farm, with numerous embedded URLs pointing to various domains. Several of these domains are associated with compromised CMS uploads or are hosted on disposable infrastructure, indicating a likely phishing or malware distribution scheme.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4750

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://htchninc.com/d/files/70388046518.pdf In PDF document text
    • https://duongthuy.net/userfiles/file/49770620507.pdfIn PDF document text
    • http://sarahscupcakery.com/wp-content/plugins/formcraft/file-upload/server/content/files/1615c5aba29fe4---fejubimo.pdfIn PDF document text
    • https://purefeeling8.com/data/file/jawuvinuseditepejiza.pdfIn PDF document text
    • https://phu-komplex.pl/pliki/file/lewub.pdfIn PDF document text
    • http://futsalcb.cz/picture/vtextu/file/67103377588.pdfIn PDF document text
    • http://xn--oy2b19v1mb1yi.com/userfiles/file/luziseguguxi.pdfIn PDF document text
    • http://radioevangilereal.com/assets/ckfinder/core/connector/php/uploads/files/veduzapowetor.pdfIn PDF document text
    • https://hopefor.today/wp-content/plugins/super-forms/uploads/php/files/68df7be8786303acc59cdbbbdc08e1c9/51141867281.pdfIn PDF document text
    • http://myjobcareer.net/userfiles/file/2021100218541173499.pdfIn PDF document text
    • http://velapower.com/glwh/UploadFile/file/2021110108201573499.pdfIn PDF document text
    • http://pc-driver.ru/userfiles/files/39514180284.pdfIn PDF document text
    • http://fusiongrup.ro/userfiles/file/xopisa.pdfIn PDF document text
    • http://happyorderfood.com/uploads/files/kejer.pdfIn PDF document text
    • http://www.psoevalledeabdalajis.es/ckfinder/userfiles/files/99999648606.pdfIn PDF document text
    • http://xn--b1adrijbbb.xn--p1ai/upload_picture/voromegenuku.pdfIn PDF document text
    • http://www.extramas.com/userfiles/files/57565587340.pdfIn PDF document text
    • https://farsiherbal.com/cache/fck_files/file/goritibipisal.pdfIn PDF document text
    • https://marksiegeldds.com/wp-content/plugins/super-forms/uploads/php/files/da2dd5b3de36d08f11227f8d0bcdbbc6/88291401305.pdfIn PDF document text
    • http://splogservice.ru/content/files/sezemumewuzoluzilexun.pdfIn PDF document text
    • http://xn--c1adbeke4asdefy.xn--p1ai/ckfinder/userfiles/files/fakowepironudegitomat.pdfIn PDF document text
    • http://demirlermetal.com/resimler/files/tafiti.pdfIn PDF document text
    • http://accurateverdicts.com/wp-content/plugins/formcraft/file-upload/server/content/files/161368146833fe---66933997453.pdfIn PDF document text
    • http://icsbc.ru/fuploader/file/lewudorizawiwib.pdfIn PDF document text
    • http://feedproxy.google.com/~r/Xvkpad/~3/xPAns0MRe5M/uplcv?utm_term=the+mean+of+binomial+distribution+isPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e334.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE334 18676 bytes
SHA-256: d28bd948467b69ea139bb5e0226ebea8aaa84a6ae7e401a03dc22a5f9fcada64
font_01_sfnt_off000113ee.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x113EE 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.