Malicious PDF — malware analysis report

Static analysis result for SHA-256 aaaeeadb95b73fb9…

MALICIOUS

PDF

62.5 KB Created: 2021-08-31 11:04:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-31
MD5: cc0ebad59437fea285ab2261c16e47c7 SHA-1: 756e76341e6c5831980df5234437ee3209cd652b SHA-256: aaaeeadb95b73fb9a12d0220583edc5cf84d0233103c84a61a524c989409033a
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is a PDF file flagged by ML classifiers and ClamAV as malicious. It contains numerous embedded URLs, many pointing to compromised CMS uploads and disposable hosting, suggesting a link farm designed for phishing or malware distribution. No scripts were extracted, but the PDF structure and URL patterns are indicative of a phishing or redirection attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9505

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://romanakladatelstvi.cz/userfiles/file/sijugade.pdf In PDF document text
    • http://www.feniuniversity.edu.bd/app/webroot/ckfinder/userfiles/files/24711294316.pdfIn PDF document text
    • https://machnhaduong.com/images/uploads/files/66672744919.pdfIn PDF document text
    • https://rimsball.com/ckfinder/userfiles/files/begodaza.pdfIn PDF document text
    • https://hafa-verein.de/wp-content/plugins/super-forms/uploads/php/files/7097b2c91346a61137c3753abd01796f/dikatapebumure.pdfIn PDF document text
    • https://georgiamusicpartners.org/wp-content/plugins/super-forms/uploads/php/files/63909c8c6a666c9edaa85a346c4c6798/49080619617.pdfIn PDF document text
    • http://poorclarescork.ie/images/lokorenedobesogura.pdfIn PDF document text
    • https://moniimpex.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607bc255a9cb1---44841322594.pdfIn PDF document text
    • https://iamluno.com/wp-content/plugins/formcraft/file-upload/server/content/files/1610750ece4294---fivodigunefozonikij.pdfIn PDF document text
    • https://mamproducciones.es/wp-content/plugins/formcraft/file-upload/server/content/files/16098856329d1a---83517699470.pdfIn PDF document text
    • https://noihoithanhtuan.com/media/ftp/file/77545165626.pdfIn PDF document text
    • https://www.adler-leitishofen.de/wp-content/plugins/formcraft/file-upload/server/content/files/1606c8a18d86b7---24868573147.pdfIn PDF document text
    • http://prplus4u.com/ckupload/files/79927570550.pdfIn PDF document text
    • http://www.firengo.com/userfiles/files/91810667577.pdfIn PDF document text
    • https://www.escon.it/wp-content/plugins/super-forms/uploads/php/files/4c48113eb7b3c1ff0cbcc8e3f8d24c53/86191000217.pdfIn PDF document text
    • https://inchiriereelicopterromania.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160ace47f6b158---dumadokurusosijilazuf.pdfIn PDF document text
    • http://fd-health.com/upload/ckeditor/files/8131855963.pdfIn PDF document text
    • https://perfectprojects.ro/userfiles/file/54996463747.pdfIn PDF document text
    • https://beachesbrewing.com/wp-content/plugins/super-forms/uploads/php/files/e598912569412b2a0ac53469195ddb24/zatijunum.pdfIn PDF document text
    • http://happysmilecard.com/uploads/files/muvaz.pdfIn PDF document text
    • https://binhruamuinanobac.com/wp-content/plugins/super-forms/uploads/php/files/1dflt2s51aksvh4agn14std1jp/42088271000.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/LPIa9PGmDLg/uplcv?utm_term=purple+hibiscus+themes+and+quotesPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000db77.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDB77 11168 bytes
SHA-256: 20d67c6a2288a96c55d659f1f1ff1015a241cf93999ea7104dbd8d3672c624f2