Malicious PDF — malware analysis report

Static analysis result for SHA-256 c896eb0127e92499…

MALICIOUS

PDF

79.4 KB Created: 2021-05-17 21:50:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1d1be651a2a547b6b6fe61f7e9f24f25 SHA-1: a55b00b269487509e08f91fa385df06846377d14 SHA-256: c896eb0127e9249996157de190ef7852b8e90c0ba260347f7595f6e9141bae4b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1190 Exploit Public-Facing Application

This PDF was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It functions as a link farm, hosting numerous PDFs on compromised WordPress sites, indicated by heuristics like 'PDF_SEO_DISPOSABLE_LINK_FARM'. The embedded URLs likely lead to further malicious content or phishing pages, serving as a distribution point for malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9594

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.themeshcowork.com/wp-content/plugins/super-forms/uploads/php/files/7b96e7d6f00fbb2bb340d5ed9f5ab3cc/8178242533.pdf
    • https://uaqbakery.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608ebb673aa26---nusezud.pdf
    • https://sidexsideaudio.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608942d4b1539---xomipojugenemikawazaf.pdf
    • https://www.tangelo.no/wp-content/plugins/formcraft/file-upload/server/content/files/1607788ad27070---84269398295.pdf
    • https://www.icslights.com/wp-content/plugins/super-forms/uploads/php/files/c2b39f4964bab44bb4aab01df9fd1b6f/jumowalofinovor.pdf
    • http://aklond.com/UploadFilesfile/%5C/2021050212343875.pdf
    • http://www.sunargrup.com.tr/wp-content/plugins/super-forms/uploads/php/files/1lqrq41ebo06u1f9bu4mf5ogl2/nedapimefegukamufag.pdf
    • https://www.sussexweddingservices.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160a117b26afd1---tufote.pdf
    • http://stylist.in.ua/wp-content/plugins/formcraft/file-upload/server/content/files/1608a30f903614---99857315448.pdf
    • https://www.varisistanbul.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e40a80ed83---68983639642.pdf
    • http://lookupagency.es/wp-content/plugins/formcraft/file-upload/server/content/files/1606c86322c276---zuzamekosidorokabodufesa.pdf
    • https://oklogistic.lv/upload/file/84440384772.pdf
    • https://brusroom.com/wp-content/plugins/super-forms/uploads/php/files/145b92a5b79987dbd9319c5be14eda29/46058166356.pdf
    • http://soupworld.de/upload/file/7853988611.pdf
    • https://mudateconmigo.cl/wp-content/plugins/super-forms/uploads/php/files/e97eab16f10f2e6fa7bfb335467204d1/51169616944.pdf
    • https://www.infratechgroep.nl/wp-content/plugins/super-forms/uploads/php/files/dcb5c31d70fceaad697c8bacbc6cb20a/46029792635.pdf
    • https://sv-fin.ru/wp-content/plugins/super-forms/uploads/php/files/a4ccff8fac1e80f4d5449c7e6f960ae2/mivutesomow.pdf
    • http://careerhack.net/wp-content/plugins/formcraft/file-upload/server/content/files/1608292bb2295b---mufaji.pdf
    • https://ketgate.eu/wp-content/plugins/super-forms/uploads/php/files/8ffee4972a9f67b9673fd5e2e19f07d2/91010080097.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/zMnd8XtcwSM/uplcv?utm_term=ejemplos+de+mecanismos+de+transferencia+de+calor+por+radiacion
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000103b4.bin
575f99367c5cd32f64c81f0d6aed8c810db17840653e706513b7dc73e8426975		 pdf-font-stream PDF embedded font (sfnt) at offset 0x103B4 5336 bytes
font_01_sfnt_off000115c7.bin
9d41afcde43e2f42a92c0e71d58df0ff217b89ca74e30ea8d5f3b1b59abf2e8c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x115C7 11388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.