Malicious PDF — malware analysis report

Static analysis result for SHA-256 c970322e2f0553ed…

MALICIOUS

PDF

81.8 KB Created: 2021-06-28 08:06:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: fe86a78b2427dc3539877993e47767dd SHA-1: e6e40a1e8cc6f98c7be54d6e1b51ea7d51bffe8e SHA-256: c970322e2f0553ed5d8bf44c8e12ed34705105fe4cdd074425d2e9e187921e34
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file functions as a link farm, directing users to numerous external websites. Several of these links point to compromised WordPress upload directories, indicating a potential phishing or malware distribution scheme. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports its malicious nature.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3778

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vandientuchinhhang.com/upload/files/13622047019.pdf In PDF document text
    • http://sewakendragroup.com/userfiles/file/31099647887.pdfIn PDF document text
    • http://urparitet.ru/admin/ckfinder/userfiles/files/vaxugujenomiboreru.pdfIn PDF document text
    • http://hart-metale.pl/gimnazjum/userfiles/file/dunewokade.pdfIn PDF document text
    • http://mountmedpharmacy.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1606f328001ce3---4480435505.pdfIn PDF document text
    • https://functionalmovement.gr/wp-content/plugins/super-forms/uploads/php/files/d23f73e99f5e62e644d45b6328c3f6f0/xuvasikojimujitesovem.pdfIn PDF document text
    • http://vtracauto.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a96b62ee33c---40294392131.pdfIn PDF document text
    • http://coffee33.ru/archive/file/81550301963.pdfIn PDF document text
    • https://best-turbos.com/wp-content/plugins/super-forms/uploads/php/files/446c3cb28b666be987c178884469877a/13422676524.pdfIn PDF document text
    • https://cplastik.com/data/cms/file/tovezugikik.pdfIn PDF document text
    • http://www.expo-hotel.com/english/wp-content/plugins/formcraft/file-upload/server/content/files/16071c7eb61fdb---20042060613.pdfIn PDF document text
    • https://www.straightmyteeth.eu/wp-content/plugins/super-forms/uploads/php/files/df45127b00a8fb810e8430e8e9926262/sumal.pdfIn PDF document text
    • https://rmp-familienanzeigen.de/cms/files/60337700236.pdfIn PDF document text
    • http://www.hydro-tg.pro/upload/file/vifimegovazavulivepe.pdfIn PDF document text
    • http://autodilykanka.cz/cmsimple/images/file/mozufopu.pdfIn PDF document text
    • https://nepalonetours.com/userfiles/files/91847739265.pdfIn PDF document text
    • https://teplitsyoptom.ru/wp-content/plugins/super-forms/uploads/php/files/a405be8417a03eda6445ad03ad44ce40/ligagoruxogitibud.pdfIn PDF document text
    • http://kazenergy.kz/wp-content/plugins/formcraft/file-upload/server/content/files/1608f96d5d0ace---59748568576.pdfIn PDF document text
    • http://israel-aliya.com/wp-content/plugins/super-forms/uploads/php/files/a682557cb7d24076ff6a1fa22c564840/6796038627.pdfIn PDF document text
    • http://efuegypt.org/userfiles/file/61381859223.pdfIn PDF document text
    • https://thejinglelab.com/wp-content/plugins/super-forms/uploads/php/files/gm9vdrthh5h4mbep5obov3h47n/texatavanalavubozad.pdfIn PDF document text
    • http://oprfhs70.com/clients/879438/File/juzuzolonajukudanajipexow.pdfIn PDF document text
    • http://nowyhotelik.pl/userfiles/file/89556257221.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/DOqCt-cVA4I/uplcv?utm_term=once+upon+the+wall+streetPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f878.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF878 17752 bytes
SHA-256: de6ab9e1deaa3a44c0b194cd19036d17f66cb553d8ee4733433fbd2fb3c2fd41
font_01_sfnt_off00012728.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12728 10592 bytes
SHA-256: a1b0d99a3923e5c29a5a2be02574962bed8162a2746dd9af521d0090c73a99fc