Malicious PDF — malware analysis report

Static analysis result for SHA-256 b506c9794bbe74f0…

MALICIOUS

PDF

65.2 KB Created: 2021-05-26 17:42:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ad44bde5fd189dc58bbc60a3d8e06260 SHA-1: ac53cd0fbe53f14ef4ade922cb96425396133da2 SHA-256: b506c9794bbe74f065b139e6739a83551955ae273e0d3b2ad56574217134e291
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as a phishing trojan by ClamAV and flagged by an ML classifier. It contains a link farm pointing to multiple compromised WordPress sites, suggesting an attempt to distribute malicious content. The document body, though heavily obfuscated, contains references to 'Final destination 5 movie download', indicating a lure to entice users to click on the embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9736

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://saludocupacionalpso.com/home/wp-content/plugins/formcraft/file-upload/server/content/files/1606ce5c2e2fa7---17030492013.pdf
    • http://bagandpack.ru/wp-content/plugins/super-forms/uploads/php/files/72d936109370abc63ab2a10be6a72e7b/3485871648.pdf
    • https://youstore21.com/wp-content/plugins/super-forms/uploads/php/files/3402679ac395415f5d24345deb8875bb/zidafoti.pdf
    • https://www.stjohnhomelessshelter.org/wp-content/plugins/super-forms/uploads/php/files/3e78b8462d63448ca1f1ad848f440ffa/32160362924.pdf
    • https://oneremote.ru/wp-content/plugins/super-forms/uploads/php/files/8673bedf78d0c2ffa5c821a0248c9149/35889020730.pdf
    • https://aravlicraft.com/cmsCart//upload/file/47509004287.pdf
    • https://him-home.ru/wp-content/plugins/super-forms/uploads/php/files/af9673c4144092fa36f9b0feee15853b/sagonobezivasodudewap.pdf
    • https://foxtailmag.net/wp-content/plugins/super-forms/uploads/php/files/bccc6b7aeff9700cb2095a8b7d5c8419/doxunirukaw.pdf
    • https://emergent-partners.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a6499ce2a15---83256556371.pdf
    • https://thriveelearning.com/wp-content/plugins/super-forms/uploads/php/files/9a44fadac01dad617bd7ad2feae2bee2/gemalajamedobenimin.pdf
    • http://drinkandshrink.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160a8aabc38a37---1429422747.pdf
    • http://ilovegabal.net/fckeditor/_upload/file/70517867598.pdf
    • http://www.ncstarim.com.tr/wp-content/plugins/super-forms/uploads/php/files/a6npit3tb3rknmk7l730cvf844/jononitu.pdf
    • http://www.alwaysflorida.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b10da1b0b8---zaxelufemel.pdf
    • https://www.heainc.com/wp-content/plugins/formcraft/file-upload/server/content/files/16079003b479ad---99702421285.pdf
    • https://www.hungarianassociation.com/wp-content/plugins/formcraft/file-upload/server/content/files/160791ca69df8c---43609258907.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/skout/mBVl/~3/cv9VXjIrmdE/uplcv?utm_term=final+destination+5+movie+download
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dab1.bin
51dba2eb17a524f0264b4265ea3aa5a204d9738052904801887b65a60fceb66e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDAB1 4896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.