Malicious PDF — malware analysis report

Static analysis result for SHA-256 b847238de1a96793…

MALICIOUS

PDF

62.3 KB Created: 2021-08-02 05:55:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: 2ab0e3553d5347d2a49f81784f809116 SHA-1: a752a93e1d5834dc24c85c238f7cfaf9737667d5 SHA-256: b847238de1a9679347df36ded27469d9aa05c7705c5d1227de551dafdb569bcb
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was identified as malicious by ML classifiers and ClamAV, indicating it likely exploits PDF vulnerabilities or serves as a lure. The document contains a link farm directing to multiple URLs, some hosted on compromised CMS platforms, suggesting a phishing or malware distribution attempt. No scripts were extracted, but the presence of embedded URLs and the nature of the heuristics point towards exploitation for client execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9446

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://tch.lu/files/files/kafesozutazoli.pdf In PDF document text
    • http://svs-pm.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a64f1fc82e0---gexikezariduvonatixut.pdfIn PDF document text
    • http://accessiblevehicleservices.com/userfiles/file/90837895445.pdfIn PDF document text
    • https://www.bouwenaaneensterkwerkgeversmerk.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16088addaa4e8d---44086459160.pdfIn PDF document text
    • http://www.argentum.com/wp-content/plugins/super-forms/uploads/php/files/ouejduri82n3kv7lbkbrrhlsdb/52454900886.pdfIn PDF document text
    • http://jingluo.net/uploadfiles/files/84932365239.pdfIn PDF document text
    • http://ekopaczka.pl/imgbrama/files/76644226881.pdfIn PDF document text
    • https://nhaban24h.com.vn/wp-content/plugins/super-forms/uploads/php/files/753cnh1u50sqsqanl4suphbthn/tuwumizesapibukona.pdfIn PDF document text
    • http://botanicgardenscafe.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16071422e24852---63923348743.pdfIn PDF document text
    • http://multiseal.com.ph/wp-content/plugins/formcraft/file-upload/server/content/files/160d51a7f1f99f---36453343389.pdfIn PDF document text
    • http://www.grupohk.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1609c5a80a19b4---vunugilemef.pdfIn PDF document text
    • http://www.hypnotiseur.com/wp-content/plugins/formcraft/file-upload/server/content/files/160aa5c4704416---71242433039.pdfIn PDF document text
    • http://whkmradio.com/userfiles/file/36804205249.pdfIn PDF document text
    • http://israel-aliya.com/wp-content/plugins/super-forms/uploads/php/files/d8fe3ff52f8c10e25fd4b90105d86beb/wufufapesenikitoka.pdfIn PDF document text
    • http://7onseventh.org/clients/868256/File/vojuwazebapakoxosakubi.pdfIn PDF document text
    • https://www.democratum.com/wp-content/plugins/super-forms/uploads/php/files/52ae16fcd8bceee0307c414c0d22d9d8/79633844071.pdfIn PDF document text
    • https://carthink.org/wp-content/plugins/formcraft/file-upload/server/content/files/160fbe983ee89d---75454316246.pdfIn PDF document text
    • http://innotack.com/userfiles/files/tajolavubere.pdfIn PDF document text
    • http://orourkelawoffice.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/vebotegipulobamifuxug.pdfIn PDF document text
    • https://www.parkgest.ch/wp-content/plugins/formcraft/file-upload/server/content/files/1608cfe57f137b---daxopamipikotob.pdfIn PDF document text
    • https://www.dekleinewerf.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160b0efc9edbf0---rukisaselagikuzasoloso.pdfIn PDF document text
    • http://haciogullari.com/depo/sayfaresim/file/rojafesesuwepenile.pdfIn PDF document text
    • https://ijtm.in/userfiles/file/pitawawasupo.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/PmAiG5ZyT-k/uplcv?utm_term=pathfinder+kingmaker+the+price+of+curiosity+bugPDF link annotation

Open this report in the interactive analyzer, or submit your own file for analysis.