Malicious PDF — malware analysis report

Static analysis result for SHA-256 aaae9660c26cb36f…

MALICIOUS

PDF

73.5 KB Created: 2021-06-20 18:44:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-26
MD5: 4b2bfeab9f5e6365dcb45361564da834 SHA-1: 991888a9cb3445e966694e37c22f575e88af9af0 SHA-256: aaae9660c26cb36fc453cf537359cb3ef98436354d0a3ff77da63fbeeb110d8d
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier. It contains numerous external URIs pointing to compromised WordPress sites and disposable hosting, suggesting a link farm designed to redirect users to malicious content. The document body contains text related to 'Flish the future is wild', which likely serves as a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8226

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://drafthe.ru/uplcv?utm_term=flish+the+future+is+wild PDF link annotation
    • http://www.leesii.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a79016e1ac8---8459601594.pdfIn PDF document text
    • https://www.oneirishrover.com/wp-content/plugins/super-forms/uploads/php/files/c039de55e0acd16ca1b2f27c721fd5bb/97877083441.pdfIn PDF document text
    • https://dmddsgn.com/wp-content/plugins/super-forms/uploads/php/files/9ab9d8b77a87c04f12460aa8049bc05e/vubofug.pdfIn PDF document text
    • http://easyreturn.store/userfiles/file/bonazitewidupunijenevu.pdfIn PDF document text
    • https://kvgrup.com.ua/wp-content/plugins/formcraft/file-upload/server/content/files/160924fdd97d2e---51389365668.pdfIn PDF document text
    • http://lawcab.ru/wp-content/plugins/formcraft/file-upload/server/content/files/16087f606b208a---subusobowexuxulik.pdfIn PDF document text
    • https://aldea.work/wp-content/plugins/super-forms/uploads/php/files/7ac36e1fed96cf5bb5d07b9a59837876/luzofi.pdfIn PDF document text
    • http://classicalgardenfountains.com/uplds/file/zaxuvaxoxegebokogito.pdfIn PDF document text
    • http://moveisgarciadigital.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16097f2c19e273---64784193059.pdfIn PDF document text
    • http://ateliergermain.net/sites/default/files/file/gomime.pdfIn PDF document text
    • https://noks.cz/wp-content/plugins/formcraft/file-upload/server/content/files/1606ca6b299fcf---58379007126.pdfIn PDF document text
    • https://www.accidentinjuryalbuquerque.com/wp-content/plugins/super-forms/uploads/php/files/jsbj6gn8gnrdooafcl5sn49q49/6635391319.pdfIn PDF document text
    • https://whitelightdesign.com/wp-content/plugins/super-forms/uploads/php/files/0aa123a00d22ba965073e7aad54f33d1/38220138731.pdfIn PDF document text
    • https://coachtourbusrental.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606ca66bdbf54---xixevupajesapewe.pdfIn PDF document text
    • http://evabody.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1608c340b590d0---dimupesinajilejaribo.pdfIn PDF document text
    • https://formapolis.it/wp-content/plugins/super-forms/uploads/php/files/5de8f2f6777341032186a0db6f3159a7/10675077847.pdfIn PDF document text
    • http://askort.pl/Upload/file/42696315182.pdfIn PDF document text
    • https://portsidestrategies.com/wp-content/plugins/super-forms/uploads/php/files/3050e9aa37c1dfb029f6c05537afbcdc/fomowolujuxeleb.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.