Malicious PDF — malware analysis report

Static analysis result for SHA-256 be1f3d7fbcf79be8…

MALICIOUS

PDF

64.0 KB Created: 2021-07-20 11:29:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: b0276faca619d3fda974af6f1a3e52da SHA-1: dbd982fec7f91938165dfbd5f1b314fd1e65b8d0 SHA-256: be1f3d7fbcf79be8e02fa4a75d92f04b1396ca5a06874fbe9cd807032c6ba8fb
132 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a 'Pdf.Phishing.Trojan' signature. It contains embedded JavaScript and a significant number of external URIs, many of which point to compromised WordPress sites acting as a link farm. The presence of embedded JavaScript suggests an attempt to execute malicious code, likely to facilitate further exploitation or payload delivery.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4986

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://escolacaritas.com/wp-content/plugins/formcraft/file-upload/server/content/files/160802eb2b6d6a---firakodaborafekixaxubut.pdf In PDF document text
    • http://labmansour.com/app/webroot/js/ckfinder/userfiles/files/29052173488.pdfIn PDF document text
    • https://juhaszautovill.hu/userfiles/file/dazoxoxopag.pdfIn PDF document text
    • http://svsteinfurth.de/radsportfiles/file/gukebetaretakeludulajofa.pdfIn PDF document text
    • https://atphp.ch/userfiles/file/besazuzaloj.pdfIn PDF document text
    • https://beachesbrewing.com/wp-content/plugins/super-forms/uploads/php/files/61675914c983b40ea3b274a0b9154e18/wenitoropemakuzidigesev.pdfIn PDF document text
    • https://congchung7.com/upload/file/wamuze.pdfIn PDF document text
    • http://www.ashtralmedia.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c24aaf0c74d---pumojanovinewozigasasi.pdfIn PDF document text
    • https://sgotomotiv.org/upload/files/4690856581.pdfIn PDF document text
    • https://www.reachcast.ca/wp-content/plugins/super-forms/uploads/php/files/290904f6b688c02cc3a2c149df097551/fasixefugotivono.pdfIn PDF document text
    • https://www.eziblank.com/wp-content/plugins/super-forms/uploads/php/files/8ba3101314dc429fa49a119e638ecafe/levunawobenuj.pdfIn PDF document text
    • http://www.tsssport.com/wp-content/plugins/formcraft/file-upload/server/content/files/16091fb2b45668---95273922837.pdfIn PDF document text
    • http://vantaibactrungnam.vn/upload/files/60361653076.pdfIn PDF document text
    • http://dallassymphonyleague.com/clients/1/14/14bb4a025281f1a32078cb68571f7cf3/File/xelisawetoxipibigumukebo.pdfIn PDF document text
    • https://gk-termopanel.ru/wp-content/plugins/super-forms/uploads/php/files/f8177d129fa139d99cdf27e71e809f57/xefogunubutuwejadapopi.pdfIn PDF document text
    • http://alltechsro.cz/files/55466253875.pdfIn PDF document text
    • https://suhrsmad.dk/wp-content/plugins/formcraft/file-upload/server/content/files/1608da476e4f83---12846249734.pdfIn PDF document text
    • https://luxartparquet.com/wp-content/plugins/super-forms/uploads/php/files/85b8c380ab72fa4aad553ec79b684735/losivupuxulexivozebilabu.pdfIn PDF document text
    • https://neoville.ru/wp-content/plugins/super-forms/uploads/php/files/55a2bd1387c65ea364d5716a8ee6c286/79543822272.pdfIn PDF document text
    • https://pemaboutiquehotel.com/assets/userfiles/files/8918683879.pdfIn PDF document text
    • https://myclubowners.com/userfiles/files/lokitut.pdfIn PDF document text
    • https://xn--80aaaglcftt5alesfkk7f.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/b685d34015347442e6ce959106eb1326/sefabuvunafa.pdfIn PDF document text
    • https://www.bountyvacation.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d8d6d293e70---90569675113.pdfIn PDF document text
    • https://action-roofing.com/wp-content/plugins/super-forms/uploads/php/files/c2cbf532c1c476d90fea4de77711bad8/nalofedojizamuwutenituk.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/6naE_Nh8_CY/uplcv?utm_term=download+windows+10+iso+file+64+bit+activatedPDF link annotation