Malicious PDF — malware analysis report

Static analysis result for SHA-256 c7711013f8e59e6b…

MALICIOUS

PDF

70.7 KB Created: 2021-09-19 14:22:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-31
MD5: 67a9947fb05cba08eac25082dcf2b8fb SHA-1: e3157902bfb8090fdb4170b102d7d2c6c726c80e SHA-256: c7711013f8e59e6b6048fba7fad26d09c5370fa8264437201aed5e68b155601b
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected by ClamAV as Pdf.Phishing.Trojan. It contains numerous external links, many pointing to compromised WordPress sites or disposable hosting, suggesting a link farm designed to redirect users. The presence of external URIs and link farm heuristics indicates a malicious intent to direct users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4393

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://laborke.ru/uplcv?utm_term=free+proxy+vpn+apk PDF link annotation
    • http://whkmradio.com/userfiles/file/jezadejexexefitudem.pdfIn PDF document text
    • http://www.americaninvest.net/upls/files/63284335614.pdfIn PDF document text
    • https://pavaniautismschools.com/wp-content/plugins/super-forms/uploads/php/files/tk3blatp4e1p7n4sbj9f92kvm2/72281961445.pdfIn PDF document text
    • https://worldmedglobal.com/userfiles/files/xubuk.pdfIn PDF document text
    • https://sakitonus.ru/wp-content/plugins/super-forms/uploads/php/files/ef39eb11f650c927fadcd37c29f2a0d5/litakogobabutenafabuvix.pdfIn PDF document text
    • http://ahzgbh.news-read.com/upload/files/wuvosibe.pdfIn PDF document text
    • http://grossbuch.com/upload/file/bozefiteperozefezoro.pdfIn PDF document text
    • http://wsm.hk/images/files/tepudugojevigolebe.pdfIn PDF document text
    • http://www.roosprommenschenckelfoundation.nl/ckfinder/files/files/soxuv.pdfIn PDF document text
    • http://apmnir.ro/fckfiles/file/fadekikusarovubo.pdfIn PDF document text
    • http://pnalog.ru/images/file/vabuvipuvositowepela.pdfIn PDF document text
    • https://www.saenger-ohg.de/wp-content/plugins/formcraft/file-upload/server/content/files/1613493a60a6d8---bakizosafexukanutebavabuv.pdfIn PDF document text
    • http://eiak.org/upload/editor/files/28881007745.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/16135bb875a604---xepopesavefubuvevakebo.pdfIn PDF document text
    • https://kaptenhoki.org/contents/files/68967915744.pdfIn PDF document text
    • http://honmamon-s.com/img_seminar/userfiles/file/jigekekanalinujerurom.pdfIn PDF document text
    • https://wacee.net/wp-content/plugins/formcraft/file-upload/server/content/files/161439ef7a3dce---72323842841.pdfIn PDF document text
    • https://lolakarimova.uz/ckfinder/userfiles/files/42023632812.pdfIn PDF document text
    • http://nwatchonline.com/userfiles/file/32581210382.pdfIn PDF document text
    • https://cooperadora.grupocreartel.com/documentos/archivos/22110687700.pdfIn PDF document text
    • http://www.rajpuc.pl/pics/file/rupawadojozapevujus.pdfIn PDF document text
    • https://agrimal.pl/userfiles/file/71717400598.pdfIn PDF document text
    • http://machin.kr/userData/board/file/85884559653.pdfIn PDF document text
    • http://atlantichomeportugal.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613baff738a77---52498293544.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c7e1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC7E1 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000dff8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDFF8 10192 bytes
SHA-256: 152e30b5acd2db704904d286da3351eb8cda31c686c996e4aa84b4cf6fa6a6c7