Malicious PDF — malware analysis report

Static analysis result for SHA-256 ab433a41d0da9e41…

MALICIOUS

PDF

83.2 KB Created: 2021-06-10 19:54:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-02
MD5: 44b634d528dee16f2cfa5f86b4aa81ef SHA-1: ad01bb8e869eb64438a865d8a037a6bb82fc1be4 SHA-256: ab433a41d0da9e41eab76087876b7b0b18e41b733e49b52c04050b4458e3f742
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm, many hosted on compromised CMS upload directories. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9626

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pixomot.ru/uplcv?utm_term=main+teri+ho+gayi+female+ringtone+mp3+download PDF link annotation
    • http://hattrick-sports.com/wp-content/plugins/formcraft/file-upload/server/content/files/160743c4185449---360313968.pdfIn PDF document text
    • http://vladjurnalist.ru/archive/file/31046170289.pdfIn PDF document text
    • http://totaleclipsenv.com/wp-content/plugins/formcraft/file-upload/server/content/files/160855963aa4dc---vesanima.pdfIn PDF document text
    • http://anhuishangbiao.com/upload_fck/file/2021-5-2/20210502224534231608.pdfIn PDF document text
    • http://ahkjt.com/upfile/file/bunabat.pdfIn PDF document text
    • http://www.britocunhaadvocacia.com.br/home/wp-content/plugins/formcraft/file-upload/server/content/files/1609280def2d7b---23409200294.pdfIn PDF document text
    • https://lakeshoresmilesdentistry.com/wp-content/plugins/super-forms/uploads/php/files/oagq6pdobli0pb82a5qlrdphi4/lonugapixiveferuxoxe.pdfIn PDF document text
    • https://humantouchtranslations.com/wp-content/plugins/formcraft/file-upload/server/content/files/1/16072c56cc8982---dipikev.pdfIn PDF document text
    • http://www.dnevi-sekretarjev.eu/wp-content/plugins/formcraft/file-upload/server/content/files/160b5b026b12ad---81314824928.pdfIn PDF document text
    • http://kimhoatra.com/upload/fckimagesfile/ziwogadaruxiro.pdfIn PDF document text
    • http://wchs67.com/clients/f/fd/fd50fd9748f3592dabdfdad26f378f15/File/nopubiwezuzepef.pdfIn PDF document text
    • https://sip7.pl/autoinstalator/sip7.online/wp-content/plugins/super-forms/uploads/php/files/b9c1044435288db904563baae93881b1/75417038709.pdfIn PDF document text
    • http://counterreaction.net/wp-content/plugins/formcraft/file-upload/server/content/files/1609835a33534a---bisujote.pdfIn PDF document text
    • https://tkpmission.org/wp-content/plugins/formcraft/file-upload/server/content/files/160b948f703b9b---13237077930.pdfIn PDF document text
    • https://realimpacto.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160b7380c76603---35137376901.pdfIn PDF document text
    • http://andreagarciam.com/wp-content/plugins/formcraft/file-upload/server/content/files/160707db0ce502---93355369066.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e06f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE06F 6536 bytes
SHA-256: 780c02f04f4e9048275452312e6591d5f0958f867da2031f676091c700148ab9
font_01_sfnt_off0000f09a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF09A 5640 bytes
SHA-256: f0bc9347fc11ef5b65b2675dff8b52e46de2e2e103354689d4a41313ae908353
font_02_sfnt_off000103c5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x103C5 4452 bytes
SHA-256: eeebc557700987408dc7940702d1e837d4cb5ff3e9be608a70bdabadd21021a6
font_03_sfnt_off000113a1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x113A1 10892 bytes
SHA-256: 5701f8d6ae182f920dd31e6ad5f88f373284462a1d7104f606e4e46770cb748c
font_04_sfnt_off000138de.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x138DE 16092 bytes
SHA-256: 39b2f4b99ee08965fd4836f89f628a00cde8346cb181131bba0308e80db8fb67