Malicious PDF — malware analysis report

Static analysis result for SHA-256 ca36176981830841…

MALICIOUS

PDF

70.3 KB Created: 2021-06-18 17:34:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: d4dcb946c356f9bf29f63859024bc37b SHA-1: ab8f7fea5dcd6d8dce67d7a0738d5d29b49a3dcd SHA-256: ca361769818308410134bd718f36652c4b500378395102b0301a024478663ab2
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous external links, many pointing to compromised WordPress sites or disposable hosting, suggesting it functions as a link farm. The primary goal appears to be directing users to potentially harmful websites, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8793

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://krisoc.ru/uplcv?utm_term=why+look+at+animals+john+berger PDF link annotation
    • http://tramtronbetong.com/uploads/userfiles/file/kavaxezesopuxofat.pdfIn PDF document text
    • https://heatingboiler.ca/fck_upload/file/jomutetevemojapeles.pdfIn PDF document text
    • http://vilaportugal.com/wp-content/plugins/formcraft/file-upload/server/content/files/160880395a67c7---vegin.pdfIn PDF document text
    • https://www.karenlovelee.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f40970ef44---77841901799.pdfIn PDF document text
    • http://2girlstrippin.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b8a871bdd6d---53320952611.pdfIn PDF document text
    • http://al-bandak.com/userfiles/file/wisinotajawikugonezap.pdfIn PDF document text
    • https://alkalacarservice.com/public_html/userfiles/file/49078575056.pdfIn PDF document text
    • http://nnk.gr/wp-content/plugins/formcraft/file-upload/server/content/files/16092709ff27ba---vupekinukuxugiza.pdfIn PDF document text
    • http://conservationenergy.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b3daba91e87---56510289135.pdfIn PDF document text
    • http://rideabikenews.com/user_img/files/26483908003.pdfIn PDF document text
    • http://bagpack.com.np/wp-content/plugins/formcraft/file-upload/server/content/files/160a38a120f441---favubetutideninesuwalot.pdfIn PDF document text
    • http://www.kidnuri.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609b11c646ddb---firilizufuka.pdfIn PDF document text
    • https://lisacutler.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c3169cd42f8---72016808732.pdfIn PDF document text
    • http://iccj.jp/images/uploads/fckeditor/file/75557056018.pdfIn PDF document text
    • https://ipic.vn/userfiles/file/34972502967.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8f7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE8F7 5492 bytes
SHA-256: 14650de2c5a9dfd9631ba620d50e5a359d01982f11a6775f6526e44b3acba283
font_01_sfnt_off0000fb95.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFB95 10784 bytes
SHA-256: e4c50f0f3f73856bb13c934f41045b0c99aae7db63dda1be29eea26f74850af9