Malicious PDF — malware analysis report

Static analysis result for SHA-256 c3535c4ab0c0756e…

MALICIOUS

PDF

70.2 KB Created: 2021-09-03 01:31:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-23
MD5: adc4d56b786c25221ecfafff0f769149 SHA-1: af2168a29a9b553f26a5e39696174d5348614f01 SHA-256: c3535c4ab0c0756eb65c7e186e5a709bf2078580c944468e47a6468abf951ef3
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous external links, many pointing to compromised or disposable domains, as indicated by the 'PDF_SEO_DISPOSABLE_LINK_FARM' and 'PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM' heuristics. The ML classifier and ClamAV detection further support its malicious nature. The primary attack pattern observed is the use of a link farm to direct users to potentially malicious content, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8214

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maintogelonline.info/contents/files/50922889025.pdf In PDF document text
    • http://guerrazzi.info/userfiles/files/35687531053.pdfIn PDF document text
    • http://aljazeerahdrilling.com/userfiles/files/totetimodatewigetipul.pdfIn PDF document text
    • http://eltonltd.ru/sites/default/files/uploads/witejojeweg.pdfIn PDF document text
    • https://www.grandeprairie.org/wp-content/plugins/formcraft/file-upload/server/content/files/160f6f6a084ee2---duzesan.pdfIn PDF document text
    • https://globalazeri.az/wp-content/plugins/super-forms/uploads/php/files/bsq0dep7g9bjgnqh0q2rh5h9d3/92156748601.pdfIn PDF document text
    • http://global-poseg.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ab0ef2e169a---sizejumazag.pdfIn PDF document text
    • http://azbuka-d.ru/ckfinder/userfiles/files/zakuxidokesolofujop.pdfIn PDF document text
    • https://www.elementstraining.co.uk/wp-content/plugins/super-forms/uploads/php/files/ikb96r24eq1f084pf1ncoua3vp/wusekomo.pdfIn PDF document text
    • https://samiznojmo.cz/wp-content/plugins/super-forms/uploads/php/files/2c3280a02121d2ad02d1a782bbb5a092/dasuputixuf.pdfIn PDF document text
    • http://auxerretv.com/content/public/file/fatajopekidof.pdfIn PDF document text
    • https://qualityroofinnandsuites.com/nbloom/fckuploads/file/datazatosupofedakiwubaga.pdfIn PDF document text
    • https://twfern.org/upload/ckfinder_temp/files/20210526214507.pdfIn PDF document text
    • http://bobhendrix-law.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/bexibobitukurizubumodag.pdfIn PDF document text
    • http://associacaoguainumbi.org.br/wp/wp-content/plugins/formcraft/file-upload/server/content/files/1608b5a0d16b33---73331207087.pdfIn PDF document text
    • https://dedywiredja.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609c60592b583---jepisudowajuru.pdfIn PDF document text
    • http://www.tobywells.org/media/fckdir/file/49552561491.pdfIn PDF document text
    • http://artpolinakuzina.ru/pict/file/84644348818.pdfIn PDF document text
    • https://rtvpuls.com/ckfinder/userfiles/files/gemosad.pdfIn PDF document text
    • https://directprocessors.com/wp-content/plugins/formcraft/file-upload/server/content/files/16070b8da51fa0---malowakorawubebupobirotor.pdfIn PDF document text
    • https://argentinaproduct.com/ckfinder/userfiles/files/31265711540.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BvfzZFkJO3s/uplcv?utm_term=water+resources+management+textbook+pdfPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d805.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD805 17496 bytes
SHA-256: ed54a0655383f0a93d8d53e88c8c5db7155984e3ca22ce8ccf5be13747b33b40
font_01_sfnt_off000104ff.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x104FF 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.