Malicious PDF — malware analysis report

Static analysis result for SHA-256 c62cad952c713a2e…

MALICIOUS

PDF

95.8 KB Created: 2021-08-13 11:51:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: 91e7d620b54d73e3f02b8adb26638893 SHA-1: 577a017014bbc485f458c56784bef87ca7172a93 SHA-256: c62cad952c713a2ed38378f4c73302496e75ee46c85c1441c25130c6bb59e0be
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as a malicious PDF by ClamAV, exhibiting characteristics of a link farm. It contains numerous embedded URLs pointing to various domains, many of which are hosted on compromised CMS upload directories or disposable hosting. The PDF_SEO_DISPOSABLE_LINK_FARM heuristic indicates a deliberate attempt to create a large number of links, likely to manipulate search engine rankings or distribute malicious content. While no scripts were explicitly extracted, the nature of the link farm suggests a phishing or malware distribution vector.

Machine Learning

  • Nyx PDF Classifier clean score 0.1383

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://beytarimcilik.com/admin/editor_resim/file/zawifigenijesikewijomomap.pdf In PDF document text
    • https://mzr-avocats.com/buddha/ckfinder/userfiles/files/dojuwe.pdfIn PDF document text
    • http://adamslakeband.org/userfiles/file/doligubejud.pdfIn PDF document text
    • https://rittenhousesmiles.com/wp-content/plugins/super-forms/uploads/php/files/76ac622fcc039d0050b5a1470a52a657/gotazesipodorobu.pdfIn PDF document text
    • https://szamitogep-szerviz-javitas.hu/ckfinder/userfiles/files/vetabomugufekonovivebiz.pdfIn PDF document text
    • http://furkansigorta.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1610b4675e1d9b---99838534048.pdfIn PDF document text
    • http://campbellelectronics.com/uploads/96581318875.pdfIn PDF document text
    • http://www.annaleehuber.com/content_files/file/9716866221.pdfIn PDF document text
    • https://minegociomiweb.com/userfiles/file/93090597696.pdfIn PDF document text
    • http://macautemple.com/userfiles/file/44681722880.pdfIn PDF document text
    • http://sts-logistika.ru/wp-content/plugins/super-forms/uploads/php/files/27ad583e396b50322625cc1502cd1c1a/35221372107.pdfIn PDF document text
    • http://hebakotb.net/userfiles/file/97917492430.pdfIn PDF document text
    • https://totalyoumovement.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ec4a879a870---gupejemosawimafa.pdfIn PDF document text
    • https://www.abaco-engineering.it/wp-content/plugins/formcraft/file-upload/server/content/files/160edb7eec9077---77566744200.pdfIn PDF document text
    • https://svetpoznaniyaonline.ru/wp-content/plugins/super-forms/uploads/php/files/c391d662825372c2c2a4e1b3b7c56be8/pawuwemovexofotateko.pdfIn PDF document text
    • https://pima-alarms.rs/slicice/file/26298654441.pdfIn PDF document text
    • https://giverny-bkk.com/upload/files/88692857303.pdfIn PDF document text
    • http://fitnessklub-impuls.pl/uploads/assets/file/39229522862.pdfIn PDF document text
    • http://guojingmall.com/userfiles/file///worab.pdfIn PDF document text
    • http://furkansigorta.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160801fbde9594---sebivumimusowarat.pdfIn PDF document text
    • https://www.mysmilestudios.com/wp-content/plugins/super-forms/uploads/php/files/c81b326025e05b0eb0b4782801812c08/76352555915.pdfIn PDF document text
    • https://pluckywize.com/wp-content/plugins/formcraft/file-upload/server/content/files/160df9a89ee588---sipagimipegividi.pdfIn PDF document text
    • http://comicpapyrus.com/wp-content/plugins/super-forms/uploads/php/files/07076aec29434e8ec107f0b547204b66/4773706503.pdfIn PDF document text
    • http://moscow-vernisage.com/files/files/gifajidujamokoxovupufabe.pdfIn PDF document text
    • https://phr4u.com/files/1903214393.pdfIn PDF document text
    • https://holocaustresearch.pl/nowy/photo/file/91950911716.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/cv9VXjIrmdE/uplcv?utm_term=best+quest+to+farm+decorations+mhwPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015787.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15787 16204 bytes
SHA-256: 9f42e0df0ecddf60bc383a0792bb6d23a4adaf7a034a35fc3b83bc6db910b035
font_01_sfnt_off00016d49.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16D49 1696 bytes
SHA-256: 28c5bcedffb0f63c0f18ed07264126f7c833899b916de9a351f9850be7cb6bae