Malicious PDF — malware analysis report

Static analysis result for SHA-256 c652c9ee96a4bf05…

MALICIOUS

PDF

81.5 KB Created: 2021-06-08 21:05:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 2c26fc5eb744417635df50a7ec154054 SHA-1: 47a40ab62f2fcee4624caae6f0841fa709497179 SHA-256: c652c9ee96a4bf059f952252f0d425960913ea43209d048a2beb21ff1db136c1
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm, many hosted on compromised CMS upload directories. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6535

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://wastran.ru/uplcv?utm_term=my+hero+academia+heroes+rising+online+123movies PDF link annotation
    • http://www.wallisandemmanuel.com/wp-content/plugins/formcraft/file-upload/server/content/files/16097a0bd1a725---52173709399.pdfIn PDF document text
    • https://earthchartercities.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607942c7093ba---nakuj.pdfIn PDF document text
    • https://patriot.ch/wp-content/plugins/super-forms/uploads/php/files/3na44okslk1e560vm1naav7q6p/fejexoxupikigatolimopuwu.pdfIn PDF document text
    • https://www.sudburyhighspeedinternet.ca/wp-content/plugins/super-forms/uploads/php/files/e94329d87a280122a9bff3db036c2b68/9039575016.pdfIn PDF document text
    • http://www.ambredore.com/wp-content/plugins/formcraft/file-upload/server/content/files/160792d1b5208b---joxevevavaweteramotapuz.pdfIn PDF document text
    • https://zweiund40.com/wp-content/plugins/super-forms/uploads/php/files/sa3gbvng57jmm10pubmcnsl794/65148944753.pdfIn PDF document text
    • https://rjiminfra.com/wp-content/plugins/super-forms/uploads/php/files/29d4aea5ad495b05a384d61d252e0ac7/ragazazonigadorem.pdfIn PDF document text
    • http://www.kreasoft.mx/wp-content/plugins/formcraft/file-upload/server/content/files/1607ed26140663---57492882981.pdfIn PDF document text
    • http://for-rent-leuven.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a5a455d88c6---84917941285.pdfIn PDF document text
    • https://oncallanatomist.org/ckfinder/userfiles/files/28385671352.pdfIn PDF document text
    • https://miamiuniquelimo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609dbf57ae494---deduwikuva.pdfIn PDF document text
    • http://amdind.com/userfiles/file/rigoziwekemuzurebodoxikir.pdfIn PDF document text
    • http://aliglobshop.com/userfiles/file/supidof.pdfIn PDF document text
    • https://hpx.com.ua/wp-content/plugins/super-forms/uploads/php/files/86cf64c639ba80cf4788cbc8213f068d/kagozunumotebiwejubujij.pdfIn PDF document text
    • http://ecbpolska.pl/wp-content/plugins/super-forms/uploads/php/files/72fb352b0424fa9500f1d5cf92b21b60/betifiruwax.pdfIn PDF document text
    • http://compie.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160b265c89ed88---60985144960.pdfIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000118e8.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x118E8 7516 bytes
SHA-256: 9f7428c57685dde8a76364ec335b08494eacfc039427c8bf47064b0dee50551e
font_00_sfnt_off0000f02d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF02D 6072 bytes
SHA-256: 4ca7351182d2dbad96af09aff38a1211c80eb08c712c4a1c25800bee2c0f39c5
font_01_sfnt_off00010509.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10509 5868 bytes
SHA-256: d93af988428a6605c649437e40e87f327364c1795f138832c27daf21406ded4d
font_03_sfnt_off00012d3b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12D3B 2876 bytes
SHA-256: b0f61b9915d63dbbb240d85340aa322ab89bc229f785903890fb01153f362681

Open this report in the interactive analyzer, or submit your own file for analysis.