Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad040aa4a9e669ce…

MALICIOUS

PDF

41.5 KB Created: 2021-07-01 12:53:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-04
MD5: d1f7353d62eac78ce323eb67fbb69d3d SHA-1: 1d0103382e5fed2e323b5984adf3225d2c3b1bf4 SHA-256: ad040aa4a9e669ced2b81c9c73186b1479e87fddd9ecedd0602827f050b973ba
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm, many hosted on compromised CMS upload directories and uses an image-based lure. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8353

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 41 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160cd94a15df4e---fijezawel.pdf In PDF document text
    • https://yidinfo.net/wp-content/plugins/super-forms/uploads/php/files/2gas7oojppqpfo9ebphnob5ank/zetik.pdfIn PDF document text
    • https://www.lowdoc-loans.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160bb3c3b84693---19395207182.pdfIn PDF document text
    • http://qianxish.com/ckfind_image/files/81045770396.pdfIn PDF document text
    • https://spherule.org/wp-content/plugins/super-forms/uploads/php/files/gm3sreh5qc0lt2vvpdrn05je74/85030416998.pdfIn PDF document text
    • https://beautifullifeuk.com/wp-content/plugins/super-forms/uploads/php/files/3012c74093a2c0cc461171957b7b07f9/28938464743.pdfIn PDF document text
    • http://julieesteban.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f7b9041e01---towakox.pdfIn PDF document text
    • http://krindustria.com.br/site/wp-content/plugins/formcraft/file-upload/server/content/files/160b987eae361f---97819404327.pdfIn PDF document text
    • https://totalyoumovement.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b309cdb5332---81465339465.pdfIn PDF document text
    • https://www.elementstraining.co.uk/wp-content/plugins/super-forms/uploads/php/files/n2t6vvmhcc709eqgv0jq2r7tek/tiboxerivavawotod.pdfIn PDF document text
    • https://alphaveneers.co.uk/wp-content/plugins/super-forms/uploads/php/files/63c36d3fdf954fa9e3964c4442fb6b64/44274711716.pdfIn PDF document text
    • http://yilip.net/userData/board/file/24257859836.pdfIn PDF document text
    • http://www.carolglassman.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607af9c2a4148---36814595840.pdfIn PDF document text
    • http://blog.crowdly.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c9ba76fe53---91861389974.pdfIn PDF document text
    • http://beta-rc.com/upload/files/zafetowibax.pdfIn PDF document text
    • http://rapabzenec.cz/obrazky/files/jadipuniwejeturene.pdfIn PDF document text
    • https://whitesal.com/data/images/file/3973_20210628194551.pdfIn PDF document text
    • http://kirks-pool.com/wp-content/plugins/formcraft/file-upload/server/content/files/160756ce333388---lesagone.pdfIn PDF document text
    • http://xn--42-6kcdlkbomh7beggito5p.xn--p1ai/userfiles/file/xinofuzevamobifa.pdfIn PDF document text
    • http://sinara.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/1606cb131187b1---25512227382.pdfIn PDF document text
    • https://ndmoyun.com/calisma2/files/uploads/67446061233.pdfIn PDF document text
    • http://hnc2.com/userfiles/file/94496366371.pdfIn PDF document text
    • https://jiptv.nl/wp-content/plugins/super-forms/uploads/php/files/sh2a8doq0anlo83o47opdq1dte/53594262652.pdfIn PDF document text
    • http://benevolo.it/userfiles/files/78470255898.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/YTWXjIUwRh0/uplcv?utm_term=where+was+the+columbian+exchangePDF link annotation

Open this report in the interactive analyzer, or submit your own file for analysis.