Malicious PDF — malware analysis report

Static analysis result for SHA-256 b93e4973b999f1b9…

MALICIOUS

PDF

107.1 KB Created: 2021-10-05 11:24:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: f23c0dcf87c562c3a997df1031fc4909 SHA-1: aa7bb081e28136a677f95cd1eff4c64e3d4f6fdd SHA-256: b93e4973b999f1b97b1b4ff7b92449697a406039e4bb67285717534886b1db3f
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm with numerous external URLs, many pointing to compromised CMS upload storage. ClamAV detected this file as Pdf.Phishing.Trojan, indicating a malicious intent to phish or distribute further malware. The presence of multiple unknown and potentially malicious links suggests a phishing or redirection attack.

Machine Learning

  • Nyx PDF Classifier clean score 0.2222

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://linker.tw/files/mudapepopumorujekira.pdf In PDF document text
    • http://kreativitaet-stadlhofer.at/global/images/userfiles/file/74767264470.pdfIn PDF document text
    • http://splhardware.com/UploadFile/file/2021090217080273499.pdfIn PDF document text
    • https://aprilboya.com/userfiles/file/12399901708.pdfIn PDF document text
    • http://lulanjina.net/upload/files/tugiluvesofajefudugidumi.pdfIn PDF document text
    • http://robertwestlaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/6209415351.pdfIn PDF document text
    • https://highlander-inn.com/assets/userfiles/files/67741838506.pdfIn PDF document text
    • https://beta.nhatthiengroup.com/files/uploaded/files/57065056221.pdfIn PDF document text
    • http://1utilaje.ro/mm/file/61304723835.pdfIn PDF document text
    • http://khachsansapa.vn/webroot/img/files/lekifalasum.pdfIn PDF document text
    • https://0286869143.com/editor_images/files/sanesaguwapulexagageju.pdfIn PDF document text
    • http://snailgame.ru/upload/files/20210916051135.pdfIn PDF document text
    • http://saigonford3s.com/uploads/2021-09-15/images/files/98443616135.pdfIn PDF document text
    • http://rainhouse.kr/data/editor/file/65733907861582dc42ffab.pdfIn PDF document text
    • http://iamsoldierfit.com/wp-content/plugins/formcraft/file-upload/server/content/files/161387cdeeef71---duxuzabitusakawagevotita.pdfIn PDF document text
    • https://n95america.com/wp-content/plugins/super-forms/uploads/php/files/bd11b61a30c56bff53929f48fe02dc4d/dukesunurufonagovutili.pdfIn PDF document text
    • https://zooiguana.pl/app/webroot/media/files/satuzurozeduvixuropozifof.pdfIn PDF document text
    • https://goez1.com/10005001208290177/ckfinder/userfiles/files/nenikumuluwunuwarawalamut.pdfIn PDF document text
    • http://vntattoosupply.net/uploads/image/files/votixekujofatefa.pdfIn PDF document text
    • http://www.shipsupply.co.mz/wp-content/plugins/formcraft/file-upload/server/content/files/161311d5f3166b---wakekanurovafav.pdfIn PDF document text
    • http://ssatripoli.org/userfiles/file/9658395911.pdfIn PDF document text
    • http://optimaglobal.net/ckupload/files/ziboxizavaguwagigamedu.pdfIn PDF document text
    • http://aelma.com/sites/default/userfiles/file/noviborimedimeze.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/1xuhb7AK25c/uplcv?utm_term=anopheles+life+cyclePDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00014f80.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14F80 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off00016792.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16792 21428 bytes
SHA-256: 3ddee58a91e2c0b4cf87944174b1334ac58a8222559234fe233b1f87159a539e