Malicious PDF — malware analysis report

Static analysis result for SHA-256 c38b898fb6f6b9d5…

MALICIOUS

PDF

73.5 KB Created: 2021-09-15 11:01:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: baa16dd09035edb3d9654942c553ce85 SHA-1: b0596ad0bc01fc0acae8df75ccc56cb3fa106707 SHA-256: c38b898fb6f6b9d55eb3690413313d3949f00600f856df7d71c4162e9d21ff3c
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains numerous embedded URLs, many of which point to compromised WordPress sites or disposable hosting, indicating a link farm designed to distribute malicious content or phish users. ClamAV detection as 'Pdf.Phishing.Trojan' further supports its malicious nature. The presence of PDF-specific heuristics suggests exploitation of PDF vulnerabilities or social engineering within the document.

Machine Learning

  • Nyx PDF Classifier clean score 0.2226

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://coretry.ru/uplcv?utm_term=how+to+make+your+boots+shine PDF link annotation
    • http://dkind.net/userData/board/file/20386909591.pdfIn PDF document text
    • http://kortennis.co.kr/B/ck/ckfinder/userfiles/files/fexazakaweboge.pdfIn PDF document text
    • http://goldenagegroup.vip/userfiles/file/49626386795.pdfIn PDF document text
    • http://www.shipsupply.co.mz/wp-content/plugins/formcraft/file-upload/server/content/files/1614153ec0358a---77674318764.pdfIn PDF document text
    • http://dothi.info/images/files/94899551793.pdfIn PDF document text
    • https://ripedzn.com/app/webroot/files/fckeditor/file/35657407959.pdfIn PDF document text
    • http://www.akutrans.com/wp-content/plugins/formcraft/file-upload/server/content/files/1612ff62ced44c---41973125566.pdfIn PDF document text
    • http://cu-hinothai.com/ckfinder/userfiles/files/75391388640.pdfIn PDF document text
    • http://luluscafeonline.com/uploads/files/62417816304.pdfIn PDF document text
    • http://ex2010.com/uploadfile/file/2021090421031673499.pdfIn PDF document text
    • https://westcoastmovers.ca/wp-content/plugins/super-forms/uploads/php/files/0bqflv44g6vm1fh31p0mdqbncv/nepinomavoraxozot.pdfIn PDF document text
    • http://ipmarketing.net/FCKeditor/editor/filemanager/connectors/userfiles/file/84422519295.pdfIn PDF document text
    • http://landonintergroup.com/ckfinder/userfiles/files/jiratepas.pdfIn PDF document text
    • http://tractortools.cz/ckfinder/userfiles/files/mujazetitutubetomodav.pdfIn PDF document text
    • http://atomleasing.ru/media/File/36411514249.pdfIn PDF document text
    • http://twtime.com/uploads/files/202109120600569599.pdfIn PDF document text
    • https://burgas-remonti.com/userfiles/file/52376200274.pdfIn PDF document text
    • https://www.sacproblemleri.com/wp-content/plugins/formcraft/file-upload/server/content/files/1614150a101078---fixug.pdfIn PDF document text
    • https://maintogelonline.info/contents/files/29799082742.pdfIn PDF document text
    • http://cbgnfinance.com/userfiles/file/54459283332.pdfIn PDF document text
    • http://farmaciafoglia.eu/userfiles/files/zomolexuguji.pdfIn PDF document text
    • https://newline-eg.com/userfiles/file/39318822504.pdfIn PDF document text
    • http://lapenya.cat/imgjovesnaves/file/77930506306.pdfIn PDF document text
    • http://holzbau-napetschnig.at/darulorodulirogodevusot.pdfIn PDF document text
    • http://systemsbiology.at/uploads/assets/file/73589301406.pdfIn PDF document text
    • http://aescantabria.es/upload/fckeditor/file///pirasim.pdfIn PDF document text
    • http://cmrivestimenti.com/userfiles/files/43410454659.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e6a7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE6A7 10852 bytes
SHA-256: d616bffc7fee61e86ebeb21449297c84203c2cb8c814ed3eae870f328a542dba
font_01_sfnt_off0000ff94.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFF94 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.