Malicious PDF — malware analysis report

Static analysis result for SHA-256 c54bffca77ff59df…

MALICIOUS

PDF

64.0 KB Created: 2021-06-25 00:16:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-11
MD5: e3f2805075563fc35c73bf4eb29eda04 SHA-1: 5569edbfb6c0c13c9687d3268ba90092d10fd9f7 SHA-256: c54bffca77ff59df85dc70e2743b7a4f100fd7a3b8c81de395247f410f528e1e
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The document contains numerous links to compromised WordPress sites, suggesting it is part of a link farm designed to distribute malware or phish users. The presence of a movie download lure further supports a phishing or malware distribution attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9776

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.lightingsolutionsal.com/wp-content/plugins/super-forms/uploads/php/files/63e4d7d885189b9658371f34dd8e64c8/difeziwani.pdf In PDF document text
    • https://getlovebooks.com/wp-content/plugins/super-forms/uploads/php/files/c0e417610873ee51b088daaf0f238391/gijevasito.pdfIn PDF document text
    • http://richmediahouse.com/admin/uploads/file/96557550958.pdfIn PDF document text
    • https://urbanplace.me/wp-content/plugins/super-forms/uploads/php/files/cd885dbcf8492b3784dc21e46a088ca0/zomure.pdfIn PDF document text
    • https://www.vigo.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160911f45746c8---zugirudiwokawe.pdfIn PDF document text
    • https://www.chortho.co.uk/wp-content/plugins/super-forms/uploads/php/files/1ev6ntuiqcv40obj9b0i1s44g2/19664115498.pdfIn PDF document text
    • http://nakamurasangyou.jp/app/webroot/uploads/files/vesamigamumadapebufava.pdfIn PDF document text
    • https://arizonalightingsales.com/wp-content/plugins/super-forms/uploads/php/files/3e8a8e70d535b768d78b8599a07c7543/golusoladexep.pdfIn PDF document text
    • http://schouteninterieurwerk.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160815a67ca53f---wiwavosu.pdfIn PDF document text
    • http://xboxheerlen.nl/userfiles/file/tiwifomiwovudob.pdfIn PDF document text
    • https://ercrs.org/wp-content/plugins/super-forms/uploads/php/files/1v1j5diof2qfk79stdbnf8p0ba/tipapanofa.pdfIn PDF document text
    • http://www.sarajevo-inn-grunewald.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f39c788b78---puwolatofegaga.pdfIn PDF document text
    • https://www.dekleinewerf.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160ac913de6507---83707661229.pdfIn PDF document text
    • https://tcufroghouses.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606e7aa443077---nofanume.pdfIn PDF document text
    • https://www.partyshuttlebus.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1608c91df92534---71308891678.pdfIn PDF document text
    • http://banghetretruc.com/media/ftp/file/97226394698.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/Om9ozkHLxGw/uplcv?utm_term=kgf+2+full+movie+telugu+downloadPDF link annotation
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eac2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEAC2 5204 bytes
SHA-256: 820700994c7c7db5cf314b8a4144629ff539e6462af5ae9ff23857589e0ce5ef