Malicious PDF — malware analysis report

Static analysis result for SHA-256 b963c78708f1903b…

MALICIOUS

PDF

144.1 KB Created: 2021-07-08 09:33:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-31
MD5: 92747394dc2e80000bcf3eb2cda4d0a6 SHA-1: 8062eddd5739824592627e855a736dfbbe07f716 SHA-256: b963c78708f1903b682c695c463eb26f7c58b96079aa53d0c3775365cee943b9
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

This PDF was identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It functions as a link farm, containing numerous URLs pointing to other PDFs hosted on compromised WordPress sites. These linked PDFs likely serve as lures for phishing attacks or further malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6543

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://parisautotravel.com/wp-content/plugins/super-forms/uploads/php/files/6l9d7l75nnbtf0sq25ro35hga0/remesigumuvufiduj.pdf In PDF document text
    • https://hopefor.today/wp-content/plugins/super-forms/uploads/php/files/2c385e2780690b12c87f6851cfabcdae/52449085556.pdfIn PDF document text
    • http://dekoblickfang.de/userfiles/file/deruresipo.pdfIn PDF document text
    • http://protech.com.ng/wp-content/plugins/formcraft/file-upload/server/content/files/1608ee08da8060---basibofosalagafowe.pdfIn PDF document text
    • https://controlcert.se/wp-content/plugins/formcraft/file-upload/server/content/files/160bbe4b84039c---39842855850.pdfIn PDF document text
    • http://www.hj-bouwt.be/wp-content/plugins/formcraft/file-upload/server/content/files/16097472004d78---54678403186.pdfIn PDF document text
    • https://greyquotient.com/wp-content/plugins/super-forms/uploads/php/files/369951b9d0479043be2cb3f0f333c610/raribojopiruvu.pdfIn PDF document text
    • https://www.electriclighting.com/wp-content/plugins/super-forms/uploads/php/files/e4c5d2774fb6bd83835532667373f09e/jugafobasaxepenisuroli.pdfIn PDF document text
    • https://www.asahinadigital.com/wp-content/plugins/super-forms/uploads/php/files/fih7ib02g6i5vg2he1tg093uks/patodoxulexegowik.pdfIn PDF document text
    • http://www.mvdisposal.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c6537bbdc1f---14313331131.pdfIn PDF document text
    • http://xn--aknmedcal-wpbe.com/uploads/file/podaxikexivanap.pdfIn PDF document text
    • http://roycraft.ca/userfiles/file/33144305600.pdfIn PDF document text
    • http://anhuifan.com/upload_fck/file/2021-6-1/20210601141141590342.pdfIn PDF document text
    • http://www.auditsi.com/wp-content/plugins/formcraft/file-upload/server/content/files/16099838deb455---79128355400.pdfIn PDF document text
    • https://fastcomputer.vn/wp-content/plugins/super-forms/uploads/php/files/0c99a5d7f7bcfd203bb8e9e7df990cd7/nerutaninokesiradakafax.pdfIn PDF document text
    • https://www.ideaklinikbursa.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607a3d2726097---91609478730.pdfIn PDF document text
    • http://www.nowsingapore.co.id/wp-content/plugins/formcraft/file-upload/server/content/files/16082eae4c4077---sizurazisuj.pdfIn PDF document text
    • http://keralabiblesociety.com/fck_uploads/file/niruvabulofaridozute.pdfIn PDF document text
    • http://ourhkg.com/UPFILE/userfiles/files/85234400643.pdfIn PDF document text
    • http://alpha-th.com/userfiles/file/zepomidopepawibuxevir.pdfIn PDF document text
    • https://mercedesmazo.es/wp-content/plugins/formcraft/file-upload/server/content/files/1607f84f7d0b3e---67308269902.pdfIn PDF document text
    • http://thefutureofgolf.eu/wp-content/plugins/formcraft/file-upload/server/content/files/160b83601d77d7---furimir.pdfIn PDF document text
    • https://hps-gruppe.com/wp-content/plugins/super-forms/uploads/php/files/hd83n2d335grhjtlavm6k4eu2m/sigonaginasujiresinuwow.pdfIn PDF document text
    • https://www.breastcancerfoundation.in/wp-content/plugins/super-forms/uploads/php/files/193cdf592bd717eb016c1c8962408cbc/wawerutitipojawufevopi.pdfIn PDF document text
    • https://vinisfarm.com/wp-content/plugins/super-forms/uploads/php/files/874c5be00e9f6f88c7d1ccea960b5b82/63615298880.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BkSY9tpko7c/uplcv?utm_term=had+been+broughtPDF link annotation