Malicious PDF — malware analysis report

Static analysis result for SHA-256 b814ad517657be00…

MALICIOUS

PDF

62.6 KB Created: 2021-05-08 13:52:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b42ad117f76d75415220799b9b99f5f5 SHA-1: a1ef36be21046129536ebc9350a12b19cc70d256 SHA-256: b814ad517657be008dc31124860dca16e151a05c9964dec0a4467acc1fe9c998
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. The document contains numerous links pointing to compromised WordPress sites, which in turn host other PDF files. These linked PDFs are likely part of a phishing campaign or a malware distribution chain, leveraging a link farm technique to obscure the ultimate malicious destination.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9938

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.lowdoc-loans.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16077c4ec4c3ac---26615653596.pdf
    • https://islandsvefir.is/wp-content/plugins/super-forms/uploads/php/files/0s3knjo77um53898ir4kl7onn6/solomolofogosimam.pdf
    • http://www.mondzorgvesa-voorschoten.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1607eca94e7274---wofuzufimawifadu.pdf
    • http://www.canadiantreasurer.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607992be8fcc4---kutotibogemegulamamif.pdf
    • https://takeorders.online/wp-content/plugins/super-forms/uploads/php/files/h7gl87ue8pqstredt4jbnhaknn/gupabekadibomuwapusafawov.pdf
    • https://n95america.com/wp-content/plugins/super-forms/uploads/php/files/b63801aca0fa409efea944b732600ea4/18834589613.pdf
    • https://cashmeredreams.com/wp-content/plugins/super-forms/uploads/php/files/8063dd771b4aed7e27d5c840c50f0808/72679513299.pdf
    • http://www.uppld.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607ccc912122b---92178997012.pdf
    • https://www.nordatec.com/wp-content/plugins/super-forms/uploads/php/files/1cmrknd10ff8783pifu0lmm9a6/jawiguporevopiruzefi.pdf
    • http://www.pianoszimmermann.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1608cb391cb762---29881665873.pdf
    • https://performanceltg.com/wp-content/plugins/super-forms/uploads/php/files/c2c030bda3ed55a7ac705be05a7210be/gekuwuvimuwakopujedilale.pdf
    • https://www.kiteschule-eckernfoerde.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607e8e6d9f19e---62086382416.pdf
    • https://www.simcoerecovery.net/wp-content/plugins/super-forms/uploads/php/files/ne67rnqu686m6bf3mm6faupn50/jososazeke.pdf
    • https://aquaticlandscape.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c89619f381---67358181161.pdf
    • https://www.wikiwebagency.it/wp-content/plugins/super-forms/uploads/php/files/490715a91bdd2cdf963da00025ab4652/sajunafibo.pdf
    • https://www.rekalibracija.com/wp-content/plugins/super-forms/uploads/php/files/c64a987027cb5bbbb8d39923ed240d50/67134199372.pdf
    • https://xn----7sbbjg7ctfs.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/50b78b609a1e051ea0ccc00cffe0e438/dinebamon.pdf
    • https://www.glasswindowequipment.com/wp-content/plugins/super-forms/uploads/php/files/ec5f28ad5b5fce071c18552aad111f27/takumonunuliseril.pdf
    • https://web-sila.ru/wp-content/plugins/super-forms/uploads/php/files/f121779d02acba9f795764c42ffb4d7f/49602500674.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/Uplcv/~3/1KS0DP0cxss/uplcv?utm_term=ac+dc+thunderstruck+android+ringtone
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eba9.bin
f44c1dc2645d40183ecef0aa653da94205c0a8c7927736f958d6b04fc7c31698		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBA9 5224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.