Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd45249b56f836e9…

MALICIOUS

PDF

48.0 KB Created: 2021-09-06 10:57:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-31
MD5: d421cc7c8b2b4b7fa0a97703946e4a2b SHA-1: 07662a5bf7ff7eeb8c363d42a72c760b02927cda SHA-256: bd45249b56f836e9d518ffc46f8b7441577b35c310d5e6fc75651c6975b5a695
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file contains embedded JavaScript and numerous external URIs, many of which point to compromised WordPress sites or disposable hosting, indicating a link farm designed to redirect users. The ClamAV detection and ML classifier further support its malicious nature, likely serving as a lure for phishing or malware delivery. The embedded JavaScript is likely used to facilitate the redirection or obfuscate the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6237

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://eszixv.hu/ckfinder/userfiles/files/36500638515.pdf In PDF document text
    • https://bakwanudang.com/contents//files/goxutosaba.pdfIn PDF document text
    • http://sumnerclassof1976.com/clients/4/49/49b54eafcc86ae0c30eb104ab8b91c7c/File/genanivafiluninojugemusan.pdfIn PDF document text
    • http://oneself.pro/wp-content/plugins/formcraft/file-upload/server/content/files/1607cb47158882---63751930531.pdfIn PDF document text
    • http://mtreurope.com/ckfinder/userfiles/files/sojilexazewi.pdfIn PDF document text
    • http://timebymtm.com/upload/files/jifupedefomosuvosuwif.pdfIn PDF document text
    • https://www.sevgiliyevideo.net/wp-content/plugins/formcraft/file-upload/server/content/files/16113b3abb4aff---59779591549.pdfIn PDF document text
    • https://www.lashharmony.co.uk/wp-content/plugins/super-forms/uploads/php/files/jtt4nrbl48edujfslj1kcf6oaa/gefevexozuzaperez.pdfIn PDF document text
    • http://reicar.dk/userfiles/file/sometiv.pdfIn PDF document text
    • http://wwm-quanta.com/upload/files/68957778851.pdfIn PDF document text
    • https://intrigantka.ru/images/userfiles/file/fatijagonokimaputikege.pdfIn PDF document text
    • http://uniondeautoescuelas.com/wp-content/plugins/formcraft/file-upload/server/content/files/160842632c2b57---kedisuginefemuweda.pdfIn PDF document text
    • http://www.advancedevents.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160ac7594776f0---vubedipobejabiga.pdfIn PDF document text
    • http://www.boldino-hotel.com/ckfinder/userfiles/files/50353278035.pdfIn PDF document text
    • https://polinagerz.ru/wp-content/plugins/super-forms/uploads/php/files/210q5mp2i5f15b7lejlafp47ud/vojofikixikok.pdfIn PDF document text
    • http://sochi-polyana.com/ckfinder/userfiles/files/fajadumilabow.pdfIn PDF document text
    • https://getadoc.in/ckfinder/userfiles/files/9177088816.pdfIn PDF document text
    • https://getadoc.in/ckfinder/userfiles/files/gakodupuvudajumifun.pdfIn PDF document text
    • http://zdrowejaja.com/Upload/file/84560841096.pdfIn PDF document text
    • http://jmdfhjl.com/fckeditor/userimages/file/83883636396.pdfIn PDF document text
    • https://g-ortho.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160a974d3ac1d4---74818666745.pdfIn PDF document text
    • http://iberryhomemade.com/userfiles/files/49004598318.pdfIn PDF document text
    • https://www.bankkartya.hu/js/ckfinder/userfiles/files/91902421846.pdfIn PDF document text
    • https://nailseasupportgroup.com/wp-content/plugins/super-forms/uploads/php/files/6d51894260d69c57be328594b94b78ab/bozobidaluxidofuxewep.pdfIn PDF document text
    • https://www.pferde-fuer-unsere-kinder.de/wp-content/plugins/formcraft/file-upload/server/content/files/1611a093cc0819---sarupogaxojutufodurusubif.pdfIn PDF document text
    • http://areawifi.com/DESARROLLO/userfiles/files/28919096892.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/YTWXjIUwRh0/uplcv?utm_term=plano+metro+bruselas+2019+pdfPDF link annotation