Malicious PDF — malware analysis report

Static analysis result for SHA-256 b8dd25e2d6cc4649…

MALICIOUS

PDF

70.3 KB Created: 2021-06-29 12:34:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-29
MD5: 1dc3b52b011a961dd16e5a03b5aec56c SHA-1: f80351f40d784e936aeb714c3b0538d6cc461538 SHA-256: b8dd25e2d6cc46493c35c0278b8183d116be939871c26b0db0b85c03baf1bcbf
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded URLs, many of which point to compromised CMS upload directories. The ClamAV detection 'Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0' strongly suggests a phishing or trojan distribution intent. The presence of a link farm on disposable hosting further supports a malicious purpose, likely to lure users to malicious sites.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4729

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.nomorcantikjoss.com/file/2816588005.pdf In PDF document text
    • http://www.zopfitravel.com/wp-content/plugins/formcraft/file-upload/server/content/files/160722e7191936---xuxifopujagagujumeki.pdfIn PDF document text
    • https://www.dynasil.com/wp-content/plugins/super-forms/uploads/php/files/3dd3aa5d1aed989b12927e1c1cb56fc3/10640771029.pdfIn PDF document text
    • http://maslag.eu/userfiles/file/fetiwisujagam.pdfIn PDF document text
    • https://rlvanstory.com/wp-content/plugins/super-forms/uploads/php/files/dee167e6c8884e4f3542b66f79726dc6/xenozobodoxula.pdfIn PDF document text
    • http://grawerlik.pl/userfiles/file/zifikixoxifimuvazagafo.pdfIn PDF document text
    • https://www.aironface.com/wp-content/plugins/super-forms/uploads/php/files/5d9142784aceffe4f7738176234c4110/gepokesevesosodezef.pdfIn PDF document text
    • http://www.veronicaneal.com/wp-content/plugins/formcraft/file-upload/server/content/files/1/16090cf7abc827---sifuf.pdfIn PDF document text
    • http://ankaser.com/userfiles/file/juvedoju.pdfIn PDF document text
    • http://countrysquirefoods.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609cb2c7a4146---20838756112.pdfIn PDF document text
    • http://raunlarose.us/wp-content/plugins/formcraft/file-upload/server/content/files/1607d5b10eb94c---91358696201.pdfIn PDF document text
    • http://travelshops.pl/userfiles/file/kowawedujukopevexa.pdfIn PDF document text
    • https://nam.it/wp-content/plugins/formcraft/file-upload/server/content/files/160b7c1fce778b---80767980204.pdfIn PDF document text
    • http://www.adatechotomasyon.net/wp-content/plugins/formcraft/file-upload/server/content/files/160ab69990f775---36187918749.pdfIn PDF document text
    • http://sskj.pl/userfiles/file/74531402416.pdfIn PDF document text
    • http://hvpeds.com/upload/contents/file/47720473389.pdfIn PDF document text
    • https://www.darrellstuckey.com/wp-content/plugins/formcraft/file-upload/server/content/files/160718142cdfd6---ranupovile.pdfIn PDF document text
    • https://tripleccompanies.com/wp-content/plugins/super-forms/uploads/php/files/73cb47a765a5529fd6675a0a5c526be5/mejiwamadukomunapu.pdfIn PDF document text
    • https://www.kadinlarsitesi.org/wp-content/plugins/formcraft/file-upload/server/content/files/160855a7a49da5---fitavuwu.pdfIn PDF document text
    • http://tano-cable.com/d/files/lenakilaragatopanetide.pdfIn PDF document text
    • https://www.uniqueartzz.com/wp-content/plugins/super-forms/uploads/php/files/le18pul42t1m5bv2od4qv69khp/kerazepebawawepudovazokij.pdfIn PDF document text
    • https://newat.ru/wp-content/plugins/super-forms/uploads/php/files/85300470f321527a6bf2f2cdaca90c0d/81540096722.pdfIn PDF document text
    • http://willtorock.com/wp-content/plugins/formcraft/file-upload/server/content/files/160998fda72d61---84988400410.pdfIn PDF document text
    • http://eko-inwest.eu/upload/file/96557057838.pdfIn PDF document text
    • https://www.hontoys.com.au/wp-content/plugins/super-forms/uploads/php/files/vc7oajrom5nbb9c1pak7sbc20j/69148620624.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/GLLx1DTH0VQ/uplcv?utm_term=vibe+with+you+meaningPDF link annotation