Malicious PDF — malware analysis report

Static analysis result for SHA-256 b5ef72b8d1436dd5…

MALICIOUS

PDF

76.2 KB Created: 2021-09-06 04:03:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-23
MD5: 042cc2f9ac164aea3cd2cbae3ea5f7aa SHA-1: d1f14fcbf18e01b83ad5ec178b9c36f69a935356 SHA-256: b5ef72b8d1436dd5ad335d641a027930aa7bb66591d2617ea7597f48090e8d4b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a large number of embedded URLs, many of which point to compromised WordPress sites or disposable hosting, indicating a link farm designed to distribute malicious content or phish users. ClamAV detection as 'Pdf.Phishing.Trojan' further supports its malicious nature. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6010

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://binhvi.com/upload/files/dejozinipemotev.pdf In PDF document text
    • http://mgmkt.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160f6aa47b7adb---dijunit.pdfIn PDF document text
    • http://generaltubi.com/container/ckfiles/files/zalobofepebanu.pdfIn PDF document text
    • http://zgkimsteszew.pl/img/upload/files/piguzemarejomekifiwovewe.pdfIn PDF document text
    • http://www.skupp.pl/wp-content/plugins/formcraft/file-upload/server/content/files/1613177a75f70d---96519417481.pdfIn PDF document text
    • http://jyjwqj.com/uploadfile/file///2021053122425190.pdfIn PDF document text
    • http://mirembeestate.co.ug/wp-content/plugins/formcraft/file-upload/server/content/files/160b1c8e64819a---95221056735.pdfIn PDF document text
    • http://www.nanodrywash.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bb714b282ea---99218103479.pdfIn PDF document text
    • http://notar-frings.de/userfiles/file/bukeluwegosipofarevagewom.pdfIn PDF document text
    • https://lsp.od.ua/wp-content/plugins/super-forms/uploads/php/files/t5dbt9qu6b67pi9bds4ub0uqf6/labilotagujelaxetowulan.pdfIn PDF document text
    • http://cga82.com/admin/File/46886997672.pdfIn PDF document text
    • http://starlightcelebrates.org/clients/4/43/43e9139217482d7666ce300faf566241/File/92388876098.pdfIn PDF document text
    • https://smoothnomad.com/wp-content/plugins/super-forms/uploads/php/files/p9seocms3kf939801mecqkdlhh/54033995012.pdfIn PDF document text
    • https://hse.tw/upload/file/gipowipiwonukuwazilu.pdfIn PDF document text
    • http://ruilong-ironwork.com/CKEdit/upload/files/61623388275.pdfIn PDF document text
    • http://frederickfollows.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/161003cd08a7f3---81665184299.pdfIn PDF document text
    • https://daluxerealty.com/wp-content/plugins/super-forms/uploads/php/files/vi940okbmg3e2kdrf3t9d82171/41206275799.pdfIn PDF document text
    • http://alhouti.com/userfiles/file/19389561305.pdfIn PDF document text
    • http://www.sparkprototypes.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606ef3d93d134---13266536634.pdfIn PDF document text
    • https://www.areatransfers.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c8c81b24c14---2556053173.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/FevRqgeaUVY/uplcv?utm_term=anatomy+and+physiology+coloring+workbook+11th+edition+pdfPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000da43.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDA43 11532 bytes
SHA-256: c8d30604efc010b2682d45d61965d7fc04edff6c7d2f926ed2d6ba1584a776a1
font_01_sfnt_off0000f529.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF529 18216 bytes
SHA-256: 260c0e6af1f7d9fb549139a7752b1057be1de32db34bc013623697b77418d71a

Open this report in the interactive analyzer, or submit your own file for analysis.