Malicious PDF — malware analysis report

Static analysis result for SHA-256 bea826a936077f22…

MALICIOUS

PDF

65.8 KB Created: 2021-08-13 08:10:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: c693d8a6a1630f3454a0b97081787ba8 SHA-1: 1737ecf08a479aa1c3d6f12e6f79a099695d96be SHA-256: bea826a936077f22ae4ccc7edf7f27c019f47e9b562645c51871f45c0b5cc307
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link

The file was detected as a phishing trojan by ClamAV. Static analysis revealed it functions as a link farm, directing users to multiple compromised websites and disposable hosting domains. The embedded URLs suggest an attempt to distribute malicious content or phish for credentials.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3638

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://zdrowejaja.com/Upload/file/34480253817.pdf In PDF document text
    • https://celovechurch.org/wp-content/plugins/super-forms/uploads/php/files/ead57918927dc8cf369aa78a2fb26bba/nizivabes.pdfIn PDF document text
    • http://wsp.pl/userfiles/file/mafudukibugokipozida.pdfIn PDF document text
    • https://austdoorcaocap.com/upload/files/nebuloniz.pdfIn PDF document text
    • https://lescourailleurs.com/upload/editor/file/67029264752.pdfIn PDF document text
    • https://www.dyna-tech.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1609f1be382612---josalowif.pdfIn PDF document text
    • http://cl-pub.com/files/files/39494728467.pdfIn PDF document text
    • http://delawaretravelmedicine.com/wp-content/plugins/formcraft/file-upload/server/content/files/16078439f47770---27206480691.pdfIn PDF document text
    • https://stewsites.com/wp-content/plugins/super-forms/uploads/php/files/2e93f52835d4d418dead6f7d1083237f/69624484805.pdfIn PDF document text
    • http://www.morenoroofing.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072f42e1274e---59072001918.pdfIn PDF document text
    • https://www.sblending.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160712e3fca4ec---75590746803.pdfIn PDF document text
    • https://www.diktu.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b3f73427ee2---57932226293.pdfIn PDF document text
    • http://orosweb.hu/ckfinder/userfiles/files/fusotusinodavamuxejimo.pdfIn PDF document text
    • http://solyaris.pro/admin/ckfinder/userfiles/files/xonawu.pdfIn PDF document text
    • https://outsourcedbackoffice.co.uk/wp-content/plugins/super-forms/uploads/php/files/e3488ed4ebbb12a7eec66c4f26a04198/79844104913.pdfIn PDF document text
    • https://lashmakerpro.it/wp-content/plugins/super-forms/uploads/php/files/fpv63q2klhf1pg5bjd0bahkkc0/pojerar.pdfIn PDF document text
    • https://5uempat.com/contents//files/dupaposudabojobaperagaf.pdfIn PDF document text
    • http://businessvaluationapp.com//fck_files/file/8781449976.pdfIn PDF document text
    • http://kaplanpm.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072c6061db01---toperakule.pdfIn PDF document text
    • https://autotrilogy.com/wp-content/plugins/super-forms/uploads/php/files/c22aa3f908dd581bf65b47f42d06b6ea/borototafowatej.pdfIn PDF document text
    • http://aksaxena.com/bpms/includes/fckeditor_uploads/userfiles/file/malar.pdfIn PDF document text
    • http://churchliferesources.org/wp-content/plugins/formcraft/file-upload/server/content/files/16094599f9b6cc---94262698775.pdfIn PDF document text
    • http://www.putnamtaxi.net/wp-content/plugins/formcraft/file-upload/server/content/files/16076024a110a8---37814363415.pdfIn PDF document text
    • http://goref.ru/files/file/50494074565.pdfIn PDF document text
    • https://tectrongim.com/uploads/files/wokonido.pdfIn PDF document text
    • http://www.kliningstroy.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160811066e184d---mazafigaxe.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/6naE_Nh8_CY/uplcv?utm_term=bloons+tower+defense+battles+hacked+unblockedPDF link annotation