Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad846ce81b896697…

MALICIOUS

PDF

73.4 KB Created: 2021-05-15 11:00:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: 95532f76e07c3b90f38ea13f75c97a58 SHA-1: 5797ccef6ed449ffec7b0e3b3826b68bc5b33802 SHA-256: ad846ce81b8966974d43a959f3140cbc5af862c995588c177c771ec6145ca44f
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous links to external websites, many hosted on compromised CMS platforms, suggesting a link farm or phishing lure. The document body, though heavily obfuscated, contains metadata related to Google Chrome and wkhtmltopdf, potentially to masquerade as a legitimate file or exploit. No scripts were extracted, but the overall structure and URL patterns are consistent with phishing or malware distribution campaigns.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7771

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.nrlandscapes.co.uk/wp-content/plugins/super-forms/uploads/php/files/857d15e2f587351e883fa717f1bc00b6/97273639420.pdf In PDF document text
    • https://mudateconmigo.cl/wp-content/plugins/super-forms/uploads/php/files/9d9b0d6af94357ff6242c363c382a15c/81694426410.pdfIn PDF document text
    • http://brighterhealthcare.co.uk/wp-content/plugins/super-forms/uploads/php/files/ov36chtjkcrl8api7psgmu30f1/98410258317.pdfIn PDF document text
    • https://www.synergyheart2heart.team/wp-content/plugins/super-forms/uploads/php/files/raa2bd2mvjon0drubt3hp03c35/61944808902.pdfIn PDF document text
    • https://growlocals.com/wp-content/plugins/super-forms/uploads/php/files/29835b51bf76fd6fe508d519a21c8cf8/92648211719.pdfIn PDF document text
    • http://goteneplast.se/files/images/file/limenexajusoxisatok.pdfIn PDF document text
    • http://www.caribbeandentist.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087c6fcea3f8---gitotujenirijafujo.pdfIn PDF document text
    • https://www.thecandystoresudbury.com/wp-content/plugins/super-forms/uploads/php/files/2bvhm66ilqt85luma93somk1q3/natasexotogora.pdfIn PDF document text
    • http://lavera.it/wp-content/plugins/formcraft/file-upload/server/content/files/160759526e1c32---lumoraxesaj.pdfIn PDF document text
    • http://szao-spb.ru/images/news/file/23606172121.pdfIn PDF document text
    • http://www.guaitoli.eng.br/wp-content/plugins/formcraft/file-upload/server/content/files/160824c63733ec---povomavi.pdfIn PDF document text
    • http://aksaaydinlatma.com/img/editor/image/file/83458553001.pdfIn PDF document text
    • https://relaxationplusmn.com/wp-content/plugins/super-forms/uploads/php/files/00ffbd86d301c96b983500ceb77a4e62/49275345629.pdfIn PDF document text
    • http://gennarimaq.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16075703978444---1605719444.pdfIn PDF document text
    • https://ambientltg.com/wp-content/plugins/super-forms/uploads/php/files/fd804419ef63fbf9705b518ae4c6be44/godarilidapozutijereputa.pdfIn PDF document text
    • http://tubietelbar.hu/uploadfile/fonuf.pdfIn PDF document text
    • http://philippinesroadshow.com/wp-content/plugins/super-forms/uploads/php/files/2cded80d9e17e7c77c0bd82601c22300/nivuxaselam.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/LPIa9PGmDLg/uplcv?utm_term=google+chrome+76++offlinePDF link annotation
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e5ae.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE5AE 4880 bytes
SHA-256: a7544e940725d64e635b75af0f22bc4495609db786e122ab91d92df9e8faa3eb
font_01_sfnt_off0000f622.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF622 11436 bytes
SHA-256: 1ffaf219f388f6100fe4dcd6f17aa75449f34b6c6e9b9298b8030e08fe42b1e4