Malicious PDF — malware analysis report

Static analysis result for SHA-256 b86c9e5c2945d9e1…

MALICIOUS

PDF

62.3 KB Created: 2021-07-27 15:42:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-02
MD5: cd78709daeed609058a888e4d14ee42d SHA-1: 7163b5d128b05361e58a0771d7de826971364ebd SHA-256: b86c9e5c2945d9e14e218d3a281f9fef0fec5d8b8df7087f9c62fe642e64ab62
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF was identified as malicious by multiple heuristics and a machine learning classifier, specifically flagging it as a link farm hosted on compromised CMS uploads. The embedded URLs point to various PDF files on different domains, many of which are also hosted on compromised WordPress sites, suggesting a coordinated effort to distribute malicious content or phish users. The presence of numerous external links and the nature of the hosting indicate a likely intent to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9438

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dossalas.com/wp-content/plugins/super-forms/uploads/php/files/890725dc26d6aad96000dd8e0d48d0d8/fedoxitubupopubodokin.pdf In PDF document text
    • http://tragadsonisurat.com/ckfinder/userfiles/files/mapaserasolijemujumazufu.pdfIn PDF document text
    • https://dacoma.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1608a306142bf4---lumidizikifobef.pdfIn PDF document text
    • https://www.ltgpartners.com/wp-content/plugins/super-forms/uploads/php/files/3418b98650432529420bbc16ad6ee6cf/wowesuratanevawumisadam.pdfIn PDF document text
    • https://www.americanapi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b4a905cfaed---54096543372.pdfIn PDF document text
    • http://thebestpearsonfamily.com/clients/e/e6/e6a49a9b6fa3fb0349b1957bd02e8b5b/File/20442960837.pdfIn PDF document text
    • http://freetourscadiz.com//ckfinder/userfiles/files/73829343007.pdfIn PDF document text
    • https://forex-robo.org/wp-content/plugins/super-forms/uploads/php/files/7c2545d0c170b48672d8b958c1c37f17/78097553829.pdfIn PDF document text
    • http://brandiassociati.it/userfiles/file/83548265007.pdfIn PDF document text
    • https://rajatotogroup4.com/contents//files/kemipikubojabi.pdfIn PDF document text
    • http://www.peritaonline.es/ckfinder/userfiles/files/dubujawaviravabepij.pdfIn PDF document text
    • http://alexanderkanevskyartgallery.com/clientMedia/file/12793668686.pdfIn PDF document text
    • https://pakistanchristiancongress.org/userfiles/file/17805573527.pdfIn PDF document text
    • https://www.blackandwhite-salon.com/wp-content/plugins/super-forms/uploads/php/files/aef919fbaf9fa8afbfaecac6137a7de8/71792945216.pdfIn PDF document text
    • https://saraelv.no/wp-content/plugins/formcraft/file-upload/server/content/files/1606c85b726253---90166105161.pdfIn PDF document text
    • https://suemsas.com/wp-content/plugins/super-forms/uploads/php/files/ere6h4ip6sjiv5ai2ugmq2gvf6/namuzofijodolomimilulegib.pdfIn PDF document text
    • https://erdenet.mn/userfiles/file/xafalelejanipapa.pdfIn PDF document text
    • http://extreamtuning.ru/wp-content/plugins/formcraft/file-upload/server/content/files/16085614036572---94772510831.pdfIn PDF document text
    • http://myredm.ru/uploads/file/fudabusamerukogejupesis.pdfIn PDF document text
    • http://dorrstrechy.cz/UserFiles/File/65283420685.pdfIn PDF document text
    • https://absoluteanytime.com/media_file/files/files/82950406671.pdfIn PDF document text
    • http://stpatricksreunion.com/clients/84553/File/numisowowizidufasajamepa.pdfIn PDF document text
    • http://yournamebadges.com/withyourdog/cms_uploads/file/sugikusetoma.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BvfzZFkJO3s/uplcv?utm_term=rival+meat+slicer+1101e%2F7PDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c95c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC95C 17216 bytes
SHA-256: 6953c460de5c56e5228689dc830af0e18151b5a96064e548d26b3aa8c877402a

Open this report in the interactive analyzer, or submit your own file for analysis.