Malicious PDF — malware analysis report

Static analysis result for SHA-256 bb08684381b40bf2…

MALICIOUS

PDF

81.8 KB Created: 2021-09-05 18:28:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: d3ddab056b255076d6fac39840900597 SHA-1: 23417aa2a5c405cbb667b0febb8cd6c4cd6f71bb SHA-256: bb08684381b40bf20759fb29b3ee0dad5017e58cae145e7e92e8ce4961d5b911
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs, many of which point to compromised WordPress sites or disposable hosting, indicating a link farm designed to distribute malicious content or phish users. ClamAV detection as 'Pdf.Phishing.Trojan' further supports its malicious nature. The file's structure and URL patterns are consistent with a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3497

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://tsydesign.com/userfiles/jws/files/luwonezagazexim.pdf In PDF document text
    • https://mexico-airport-transfers.com/ckfinder/userfiles/files/fuxozibaxujud.pdfIn PDF document text
    • http://ride.hu/images/uploads/files/72895501842.pdfIn PDF document text
    • http://mishor-uvk.com/uploads/files/94924425740.pdfIn PDF document text
    • https://abugfreemind.com/userfiles/file/xetik.pdfIn PDF document text
    • http://pocatellocampfire.com/wp-content/plugins/super-forms/uploads/php/files/jljihvou1obs98i6tpq5m00use/garumunozofem.pdfIn PDF document text
    • https://www.andyselfstorage.co.uk/wp-content/plugins/super-forms/uploads/php/files/3rlv91rb7f012lnf5qlvoqicri/7443773241.pdfIn PDF document text
    • https://hylyt.co/wp-content/plugins/super-forms/uploads/php/files/6283e0e047859e91677669fa1666284f/55483485895.pdfIn PDF document text
    • http://www.lauricedale.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160768a6bd21c3---80259309698.pdfIn PDF document text
    • http://ominocoibaffi.it/userfiles/files/17285919209.pdfIn PDF document text
    • http://atek-ent.com/upload/file/21560673857.pdfIn PDF document text
    • http://altelaw.com/uploads/image/file/mitufasi.pdfIn PDF document text
    • https://ecef-groupe.com/wp-content/plugins/super-forms/uploads/php/files/8dsdnmrat5r4kd8s3hinjne494/89153119106.pdfIn PDF document text
    • http://luxcottage.ru/stroykamen/userfiles/files/95816122228.pdfIn PDF document text
    • http://pilot-market.ru/new/files/file/doneduwe.pdfIn PDF document text
    • https://www.heainc.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c3e798146f6---92226941920.pdfIn PDF document text
    • http://hgbs.de/userfiles/file/9115775680.pdfIn PDF document text
    • https://flylights.pl/wp-content/plugins/super-forms/uploads/php/files/qq8p49a6l6tbs06tjio0lr62tt/69619608124.pdfIn PDF document text
    • http://allycatering.com/userfiles/zazamekiwijavoba.pdfIn PDF document text
    • https://tecsal.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160960432b262e---33822933657.pdfIn PDF document text
    • https://www.sblending.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160a3d8fe3507b---nebupikolejidivozerix.pdfIn PDF document text
    • http://www.mondzorgvesa-voorschoten.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160ca7ad881f59---sunigekinozawag.pdfIn PDF document text
    • http://uspeh-kursk.ru/ckfinder/userfiles/files/86666189563.pdfIn PDF document text
    • http://atut-biuro.com/uploaded/file/guzivit.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/BvfzZFkJO3s/uplcv?utm_term=bppv+pdf+exercisesPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa84.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFA84 17512 bytes
SHA-256: 5c6562f5ef0f1184a958ddb7592c117b3088c9aa14ce71dbdeb0a1d07d4204f6
font_01_sfnt_off0001281d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1281D 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1