Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9cb53ea01eeeae3…

MALICIOUS

PDF

65.3 KB Created: 2021-05-27 16:45:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ab2b2d0e8f18e1ab485c1faafab627a1 SHA-1: 6592453bb7d2ff0e6ed1b49619364cd72851f7cb SHA-256: b9cb53ea01eeeae3117f1b6b0ad6d1b27b44ca5759ce8d3fabdc1f9b064bb4e2
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous links to external websites, many hosted on compromised CMS platforms, suggesting it is part of a link farm designed to redirect users to malicious content. The document body, though heavily obfuscated, appears to be a lure related to educational worksheets, which is a common tactic for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8702

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://oniceh.ru/uplcv?utm_term=coordinating+and+subordinating+conjunctions+worksheets+grade+5
    • http://xn--clinicaquirogavilario-vbc.com/wp-content/plugins/super-forms/uploads/php/files/adrh8lpv3vtaflvvjklahi89r6/33836150867.pdf
    • https://cvenhancer.com/wp-content/plugins/super-forms/uploads/php/files/cb3202245323b77600034c49a56652bc/gusabodorixaneri.pdf
    • https://www.denisonlandscaping.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608284e137bbd---74477925309.pdf
    • http://makaifruits.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608484d67eb3f---fonikatur.pdf
    • http://furkansigorta.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160a98be012310---41791924616.pdf
    • http://triumphtoday.org/wp-content/plugins/formcraft/file-upload/server/content/files/16072440ce43e1---tubitubinutoduligedetefil.pdf
    • https://digidatadecolombia.com/wp-content/plugins/super-forms/uploads/php/files/083d3b4caf1ff9f6b198d3ab3b38aac9/67687273152.pdf
    • https://intelean.com/wp-content/plugins/formcraft/file-upload/server/content/files/160971b6e5e70b---9183571923.pdf
    • https://alakharia.com/public_html/userfiles/file/76525018424.pdf
    • https://trimix.bg/UserFiles/File/45910345301.pdf
    • https://lerong.vn/wp-content/plugins/super-forms/uploads/php/files/282da32983b67806b3c3bd1b35510259/mezakavawumutomogajote.pdf
    • https://www.harnoordesigns.com/wp-content/plugins/super-forms/uploads/php/files/7gsra7a15k62pu7kbgb70fg626/pozifaje.pdf
    • http://www.playerclub.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160ac55475d56a---39780199369.pdf
    • http://xn--80akij1ajew.xn--p1ai/wp-content/plugins/formcraft/file-upload/server/content/files/160a88819db2dc---xarumugi.pdf
    • https://frasertechno.com/wp-content/plugins/formcraft/file-upload/server/content/files/160945d49c95dc---rexaworid.pdf
    • http://multiseal.com.ph/wp-content/plugins/formcraft/file-upload/server/content/files/1606cbd9cc0b1d---48893059288.pdf
    • https://msr-hudsonproperties.com/wp-content/plugins/super-forms/uploads/php/files/f116cb4826f8435c84bc79d14f541b69/lupetux.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e013.bin
c1cba7763ab3b1cc7455797ca8d56e00e39fb1a7ce00500edb2d9f03f9d71a87		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE013 5568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.