Malicious PDF — malware analysis report

Static analysis result for SHA-256 aad11130f0c4fa44…

MALICIOUS

PDF

56.7 KB Created: 2021-09-05 18:01:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-16
MD5: f10cf2156dd974e003168c885e23049d SHA-1: 50fa05dfd2accd0ebd94b0eb082da4bbade2dda1 SHA-256: aad11130f0c4fa44f64eb4aa4443504d0974532ceeb4a0208eaa1bb74ff54315
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous embedded URLs, many of which point to compromised CMS upload directories. Heuristics indicate this is a link farm designed to obscure the true destination, and ClamAV detected it as a phishing trojan. The ML classifier also flagged it as malicious, suggesting a high likelihood of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7186

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fertilityupdates.com/userfiles/files/56101328559.pdf In PDF document text
    • http://www.lukoilmarine.com/ckfinder/userfiles/files/26091340058.pdfIn PDF document text
    • https://hfdjet.com/wp-content/plugins/super-forms/uploads/php/files/4ed84b295405b93694043e895a7a6e43/49374227524.pdfIn PDF document text
    • http://heryeryesil.com/resimlerfiles/sufuzerawup.pdfIn PDF document text
    • http://buren-kompanie.de/userfiles/files/77968257509.pdfIn PDF document text
    • http://www.iso-clean.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160d1d4e0500f8---5974006434.pdfIn PDF document text
    • https://solarconsulting.org/wp-content/plugins/super-forms/uploads/php/files/6a00d80bba3cfd06e0ae45f9be8d9bdb/nugepivuvakobunu.pdfIn PDF document text
    • https://completecollegestrategies.com/wp-content/plugins/super-forms/uploads/php/files/0a763807531c82fdde56f14c78d9b22f/58648945006.pdfIn PDF document text
    • https://www.tangelo.no/wp-content/plugins/formcraft/file-upload/server/content/files/16081668f9e907---32341125872.pdfIn PDF document text
    • https://endoaccessories.com/wp-content/plugins/super-forms/uploads/php/files/98jfrih4t21pp3bcmkedj06sd5/55578146606.pdfIn PDF document text
    • http://ymmicro.com/files/files/pavasotixefoxikekis.pdfIn PDF document text
    • http://sarlampa.ru/upload_picture/69728237792.pdfIn PDF document text
    • https://desertflying.club/wp-content/plugins/formcraft/file-upload/server/content/files/16111eef81b9ff---xagifoderovifoj.pdfIn PDF document text
    • http://arniestribu.com/campannas/file/40808826069.pdfIn PDF document text
    • http://dainichiji.com/upload_ckr/files/34640961599.pdfIn PDF document text
    • http://villa-carlshorst.de/sites/default/files/file/14584320376.pdfIn PDF document text
    • https://www.financedeclined.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1609c5c5672957---64267787221.pdfIn PDF document text
    • http://quesnelbusinessnetwork.ca/userfiles/file/87082331526.pdfIn PDF document text
    • http://marinapogon.pl/upload/file/polasurumopekavuvozurizeb.pdfIn PDF document text
    • http://skikk.eu/app/webroot/files/userfiles/files/xetelemebumofom.pdfIn PDF document text
    • http://naucseto.cz/storage/wunalowosevow.pdfIn PDF document text
    • http://dungcucaytrong.com/images/files/55681054645.pdfIn PDF document text
    • https://bnbcostaverde.it/userfiles/file/54767093738.pdfIn PDF document text
    • https://oteaexpert.fr/cite_imgs/file/vewobuvi.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/3CAf4wW3hvY/uplcv?utm_term=malvern+continuum+mechanics+solution+manualPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c4de.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC4DE 10652 bytes
SHA-256: 5fc93379d091c2e581d47b0c76109d36b8b00d2b202c97fe9232bf4d555000ad

Open this report in the interactive analyzer, or submit your own file for analysis.