Malicious PDF — malware analysis report

Static analysis result for SHA-256 c4314ad3da3218db…

MALICIOUS

PDF

67.9 KB Created: 2021-07-31 12:11:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: b5c43667632c8eea0ef119439a4fbff3 SHA-1: 88378f96d488e1c5252b99689114fe1289816e78 SHA-256: c4314ad3da3218db14d793d3c1ebddb4dce885c1eef503cc47286fc1a126eb23
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was flagged by multiple heuristics as malicious, including a critical ClamAV detection and an ML classifier. It contains a link farm pointing to compromised WordPress upload storage, likely intended to redirect users to phishing or malware sites. The embedded URLs and the nature of the heuristics suggest a phishing or credential harvesting campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9758

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ketchas.ru/uplcv?utm_term=stick+warfare+blood+strike+codes+apk PDF link annotation
    • https://dusunceokulu.net/resimler/files/32770431297.pdfIn PDF document text
    • https://fentesmakina.com/paket/upload/files/nevetosesitenaledasedu.pdfIn PDF document text
    • http://afghansolar.com/userfiles/file/19809336086.pdfIn PDF document text
    • https://agrotehholding.ru/wp-content/plugins/super-forms/uploads/php/files/acfb3df22e18b9adea80a2987b343fd7/89491141764.pdfIn PDF document text
    • http://www.ebsjosepirosamaria.com/wp-content/plugins/formcraft/file-upload/server/content/files/16077a5717ba61---nopifafazipepojijitu.pdfIn PDF document text
    • http://palenice.net/obrazky_clanky/file/dixidirufotetabaf.pdfIn PDF document text
    • https://adiwirawanbali.com/wp-content/plugins/super-forms/uploads/php/files/49baa7ff5458e92f59faeca7ce0ec4d1/gobezalinadanejodof.pdfIn PDF document text
    • http://www.kevinbrooks.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1606fce3e79e70---govavikuzujigojebevaminen.pdfIn PDF document text
    • http://bjoybrands.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f59fbdf906---polijinudonerav.pdfIn PDF document text
    • https://retentionstudentexperience.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ca0b612079e---44570039638.pdfIn PDF document text
    • http://www.training4thefuture.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1608c425a1f793---bozeniwilekuna.pdfIn PDF document text
    • http://www.dadosefatos.net.br/wp-content/plugins/formcraft/file-upload/server/content/files/16084c68219203---74950650923.pdfIn PDF document text
    • http://www.adatechotomasyon.net/wp-content/plugins/formcraft/file-upload/server/content/files/160a572a4cd1ef---tafoxi.pdfIn PDF document text
    • http://yngc.ru/admin/ckfinder/userfiles/files/72064270290.pdfIn PDF document text
    • http://vincityhomes.vn/wp-content/plugins/super-forms/uploads/php/files/ckr4glsu69bf0js01n0dvikjlh/67687181155.pdfIn PDF document text
    • http://www.altrus.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160b50496d7c12---61909756008.pdfIn PDF document text
    • http://alltechsro.cz/files/numelilosasigoji.pdfIn PDF document text
    • https://vdbergelectro.nl/wp-content/plugins/super-forms/uploads/php/files/58288547a8e558cf68d49cd3fdffe057/56729600857.pdfIn PDF document text
    • http://bjsprt.com/uploadfile/file///2021052905355687.pdfIn PDF document text
    • http://maxkbm.com/clients/2/28/28fcaa936e2ecbeb6c9a97ea0f1ab253/File/fujaguloxivupuvizodurura.pdfIn PDF document text
    • https://opuntia.eu/wp-content/plugins/super-forms/uploads/php/files/3f40b752f0052c6750cbdfd880c8ca46/63143475760.pdfIn PDF document text
    • https://sgpropertylawyers.com/wp-content/plugins/super-forms/uploads/php/files/230a1e924318bad15e8beae988ac8412/3248350251.pdfIn PDF document text
    • http://rszm88.com/upfolder/e/files/20210705165555.pdfIn PDF document text
    • http://raunlarose.us/wp-content/plugins/formcraft/file-upload/server/content/files/1608fda23704d0---76045836004.pdfIn PDF document text
    • http://agrilaui.com/userfiles/file/92033396818.pdfIn PDF document text