Malicious PDF — malware analysis report

Static analysis result for SHA-256 c3c23f4440912191…

MALICIOUS

PDF

39.4 KB Created: 2021-07-06 06:51:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-25
MD5: 3c2cdaf95a184a559d41089190309cab SHA-1: c60dcb6583a259d80af5b240caa89598d92aa01f SHA-256: c3c23f4440912191f979795988e0d28e8dd1daf680af03d583faeafa88227412
182 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm, many hosted on compromised CMS upload directories, contains embedded JavaScript and uses an image-based lure. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8579

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 39 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://drafthe.ru/uplcv?utm_term=angular+applications+examples PDF link annotation
    • https://maydongy.com/wp-content/plugins/super-forms/uploads/php/files/mg6nrl4jkb8ng1gf0c6hb41ks6/21703397689.pdfIn PDF document text
    • http://daieimotors.com/js/upload/files/32731665362.pdfIn PDF document text
    • https://readxyz.com/wp-content/plugins/super-forms/uploads/php/files/d553b0a25cd59b9b3e3db49d484d9bb7/92439553476.pdfIn PDF document text
    • http://parfumkin.ru/files/files/13077890183.pdfIn PDF document text
    • https://drivingschoolofnorthtexas.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d41c3751d09---robazirabiwitawiw.pdfIn PDF document text
    • https://12tiga.com/contents//files/sosodakupexuwutatugiju.pdfIn PDF document text
    • http://nhs71.com/clients/d/d9/d9c6bfbc4bbdd207836d30c01fe5869c/File/sirakabasevakozafitavij.pdfIn PDF document text
    • https://numen-wow.com/userfiles/cloud//files/11717678017.pdfIn PDF document text
    • https://www.growxponential.com/wp-content/plugins/super-forms/uploads/php/files/7vo2fviapjd2dk7rgivirfn3eo/98880746606.pdfIn PDF document text
    • http://sosnovgeo.ru/userfiles/file/40521864856.pdfIn PDF document text
    • http://cbelmira.com/wp-content/plugins/super-forms/uploads/php/files/vg40m9df64u56j08ruhtookp35/99476915850.pdfIn PDF document text
    • http://peeweeslearningcenter.org/clients/5/54/545fcf94abc6bccf175f3035c740e6d3/File/jufulajumene.pdfIn PDF document text
    • https://iescolumbus.org/wp-content/plugins/super-forms/uploads/php/files/8dfa74499f8e3ab6c26ca05d854ebba8/43634904905.pdfIn PDF document text
    • http://vdtonline.vn/static/uploads/editor/files/77210225785.pdfIn PDF document text
    • https://zapcdn.space/web/img/podborky/files/gunubiraj.pdfIn PDF document text
    • https://hmv.ir/wp-content/plugins/formcraft/file-upload/server/content/files/160a2f0529789f---44566642834.pdfIn PDF document text