Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6600f4f9f2f75e1…

MALICIOUS

PDF

51.2 KB Created: 2021-05-31 08:30:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-20
MD5: 71db957e111aaf32337206392773cc19 SHA-1: b4f54e188fb821ad4ccc4a402d4ad0573267c58d SHA-256: b6600f4f9f2f75e1cccd3255b0d3cac1c9785fa1820e84b3d00ed95fa95c413b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous links to compromised WordPress upload storage and disposable hosting, suggesting it functions as a link farm to distribute further malicious content. The document body, though heavily corrupted, contains references to 'wkhtmltopdf' and 'land measurement calculator', indicating a lure to disguise the malicious nature of the links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7260

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.sabiamente.es/wp-content/plugins/formcraft/file-upload/server/content/files/160a8638e05d25---85352706124.pdf In PDF document text
    • https://www.charityweiss.de/wp-content/plugins/formcraft/file-upload/server/content/files/16090cc56d1929---8573241609.pdfIn PDF document text
    • https://fellowpeo.com/wp-content/plugins/super-forms/uploads/php/files/35a97116f9c2ef84b061d5f0c52b70cb/donuputonivujukodufiruju.pdfIn PDF document text
    • http://africansafaris-spain.com/FCKeditor/editor/filemanager/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=%252Ffile/57709640486.pdfIn PDF document text
    • http://bamt.be/wp-content/plugins/formcraft/file-upload/server/content/files/160a81b3772111---19048142578.pdfIn PDF document text
    • https://webtraffic.ch/wp-content/plugins/super-forms/uploads/php/files/c3lr7cqla6cpqv9vrc2724v81s/39454061918.pdfIn PDF document text
    • http://rolmech-strzelno.pl/Upload/file/tutetekopijase.pdfIn PDF document text
    • https://www.entornopublicitario.com/wp-content/plugins/super-forms/uploads/php/files/13e64b342a23d5bab7d7193bf938b8c0/xevopiler.pdfIn PDF document text
    • https://mrmobilewebsite.agency/wp-content/plugins/super-forms/uploads/php/files/c6645fbe8a07e8686a94ff25e31de71f/37188471675.pdfIn PDF document text
    • https://rmissio.pl/wp-content/plugins/formcraft/file-upload/server/content/files/1606f42edbff8a---40531945305.pdfIn PDF document text
    • http://sciencevier.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609f410ebb1d5---17799094766.pdfIn PDF document text
    • http://www.altrus.pl/wp-content/plugins/formcraft/file-upload/server/content/files/1609d204080fc3---64536796698.pdfIn PDF document text
    • http://vtracauto.com/wp-content/plugins/formcraft/file-upload/server/content/files/16075b98fe3699---73224352499.pdfIn PDF document text
    • http://gf-location.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1607e9eafe488b---85532018618.pdfIn PDF document text
    • https://noddy.nu/images/file/zowape.pdfIn PDF document text
    • http://www.chinahkcarplate.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607a891311dba---sofavumanogesovisupezebe.pdfIn PDF document text
    • http://countrysquirefoods.com/wp-content/plugins/formcraft/file-upload/server/content/files/16077a8eeca4e7---kapuvubuvotatenasax.pdfIn PDF document text
    • https://www.llgnjinc.com/wp-content/plugins/super-forms/uploads/php/files/2d518691ef44c1db3f66e35e2b9193a8/bekanojopazupo.pdfIn PDF document text
    • https://purpleleafestatebuyers.com/wp-content/plugins/formcraft/file-upload/server/content/files/160948b1717322---jufulametiralevunuxabivug.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/3CAf4wW3hvY/uplcv?utm_term=land+measurement+calculator+in+gujaratPDF link annotation