Malicious PDF — malware analysis report

Static analysis result for SHA-256 af01e2960a6d4440…

MALICIOUS

PDF

116.5 KB Created: 2021-07-13 07:01:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-23
MD5: d4daa49532de993405bcfbe6fb16adfb SHA-1: 590c360f254bdb521ebc8c2ad8970450bf2eae76 SHA-256: af01e2960a6d444080466714c642d1b83a4baaa1514e24b9fc52f4d7d15f3ae1
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1055.012 Process Injection T1204.002 Malicious Link

The PDF file contains a link farm pointing to multiple PDF documents hosted on compromised CMS upload storage. This is a common technique for distributing phishing lures or malware. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports a malicious intent. No scripts were extracted, and the document body was unreadable, limiting further analysis of the specific payload.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2866

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://aduanaldelvalle.com/userfiles/file/mowutedikejijavuw.pdf In PDF document text
    • https://wscnaturalhealings.com/wp-content/plugins/super-forms/uploads/php/files/3a7997301436e8cb1b4944da668a41b2/pokaduzepuxelawo.pdfIn PDF document text
    • http://onlinemidias.com/ckfinder/userfiles/files/82189699481.pdfIn PDF document text
    • https://vuaship.com/wp-content/plugins/super-forms/uploads/php/files/a5hss7hokekk45a7m7hbqoen82/nunafire.pdfIn PDF document text
    • https://amezdigital.com/wp-content/plugins/super-forms/uploads/php/files/a81ec3ee6944797afa7a9cc15db23104/jifemunaginuxolukusori.pdfIn PDF document text
    • http://www.tsssport.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d2a0ccb9e08---38412161450.pdfIn PDF document text
    • https://tenshinorchids.com/FCKeditor_upload/file/patubuxerizasux.pdfIn PDF document text
    • https://agilitynd.com/wp-content/plugins/super-forms/uploads/php/files/b3f6ffbc1150ecc3ba95520904ae28fb/pijazanivedew.pdfIn PDF document text
    • https://cwlighting.com/wp-content/plugins/super-forms/uploads/php/files/80a91e1d016e4ed27ca17652b2107ad1/jimelazujurefexujodurom.pdfIn PDF document text
    • http://shopsuathientu.com/uploads/userfiles/file/23853956079.pdfIn PDF document text
    • https://naseeha.org/wp-content/plugins/super-forms/uploads/php/files/7d795a1200faf30cc221c2612f6a1f47/39063226602.pdfIn PDF document text
    • http://ttccid.com/userfiles/file/rugopudekufelalupipusa.pdfIn PDF document text
    • http://hchs1972.com/clients/2/2c/2cb73362227bcfbd3ed6ae01b5b3dc46/File/92630098540.pdfIn PDF document text
    • http://ouhkpthaa.org/userfiles/lulokoz.pdfIn PDF document text
    • http://agcslohian.com/userfiles/file/52079016305.pdfIn PDF document text
    • http://amtusa.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607588600a669---mipalevikogupode.pdfIn PDF document text
    • http://ovartec.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a4752632b52---zosomaworax.pdfIn PDF document text
    • https://forex-robo.org/wp-content/plugins/super-forms/uploads/php/files/526910b7380caa9d66b36421d3a01cce/navafub.pdfIn PDF document text
    • https://www.potterycommercials.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1607d19b5b2d2b---45468687744.pdfIn PDF document text
    • https://moniimpex.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607bd27e182c8---27356221045.pdfIn PDF document text
    • http://mtcongnghiepxanh.com/upload/fckimagesfile/wokekuwedagabal.pdfIn PDF document text
    • https://usssecuritate.ro/userfiles/file/jitusabi.pdfIn PDF document text
    • https://ceadersvalet.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d66e716aded---26222423699.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/YTWXjIUwRh0/uplcv?utm_term=another+word+for+jokers+and+clownsPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0001291a.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1291A 29712 bytes
SHA-256: 265711cb1273be27678b26196a9cf88e2557a9d49fc98dc09a1d336ca2e44f51
font_01_sfnt_off00016080.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16080 12560 bytes
SHA-256: b8d1c8702371094f05cc8fb028fb292ec9dd2768f983913003cc025e00f88e1f
font_02_sfnt_off00018804.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18804 34216 bytes
SHA-256: b2eb52fc92f318d4886f503d2dd697248225a2cc2f118e1c4314ed7cd8587b50