Malicious PDF — malware analysis report

Static analysis result for SHA-256 cbaf679436b83fc8…

MALICIOUS

PDF

47.8 KB Created: 2021-09-02 05:38:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-01
MD5: e5038596e8330e09dd2108f8b7769f6e SHA-1: ab049523fea8ca6e8585e6f90153a62859aa1680 SHA-256: cbaf679436b83fc80184f0c5bb9adeac5707aa7602f3bbc534cea564d37ef7c4
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm, many hosted on compromised CMS upload directories and uses an image-based lure. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6277

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 47 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://unique.global/wp-content/plugins/super-forms/uploads/php/files/1dcca68323fb64080b66b6c5850c8c5d/domugewopiweki.pdf In PDF document text
    • https://fedico.ca/upload/editor/file/benedeban.pdfIn PDF document text
    • http://oroblupiscine.it/userfiles/files/46919920235.pdfIn PDF document text
    • https://kodcomputers.ro/2664/uploads/nobetemixenuva.pdfIn PDF document text
    • https://www.chortho.co.uk/wp-content/plugins/super-forms/uploads/php/files/2pjvh1ao85ak6fjopvuaq2fikd/25409583655.pdfIn PDF document text
    • http://sgadsahodayatarntaran.org/sahodyatarntarannew/userfiles/file/8588042654.pdfIn PDF document text
    • https://tkpmission.org/wp-content/plugins/formcraft/file-upload/server/content/files/160961fc677a28---simagazeludor.pdfIn PDF document text
    • https://ecole-anglais.com/upload/files/xikabapewejufifu.pdfIn PDF document text
    • http://regimhotelierbucuresti.com/images/userfiles/miwaf.pdfIn PDF document text
    • http://hanilkwanla.com/uploads/files/favilinefopure.pdfIn PDF document text
    • http://fairbank-ia.org/admin/ckfinder/userfiles/files/nijipupel.pdfIn PDF document text
    • https://glowskincare.net/wp-content/plugins/super-forms/uploads/php/files/2e10b7fce513f6631bb49cb9b4e79ddd/fivazukexe.pdfIn PDF document text
    • http://vakantie-noordlimburg.nl/ckfinder/userfiles/files/95463045358.pdfIn PDF document text
    • https://adbadog.com/wp-content/plugins/super-forms/uploads/php/files/2fe79be02dab4f6c7295e399e8f794b0/41984703589.pdfIn PDF document text
    • http://www.kissdocs.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160804313ac708---kebukixuregefivez.pdfIn PDF document text
    • https://sip7.pl/autoinstalator/sip7.online/wp-content/plugins/super-forms/uploads/php/files/8af46829dee08dc4e8e06f14147d5d6b/tirajavibujuvope.pdfIn PDF document text
    • https://123kozijnofferte.nl/wp-content/plugins/super-forms/uploads/php/files/i7snphbkr1ksm57m1u0osjo2k5/fagapitomarawufini.pdfIn PDF document text
    • http://citescolairedeledit.com/include/file/nemiv.pdfIn PDF document text
    • https://amartzon.store/wp-content/plugins/super-forms/uploads/php/files/a015bee6716ce67815fbb4c4530f1f42/jazenilerisizuvilewi.pdfIn PDF document text
    • http://galettedesrois.hu/userfiles/file/bifazixuroloviroxamodub.pdfIn PDF document text
    • https://avenirpourtous.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1609646943b82f---zexoxad.pdfIn PDF document text
    • https://chungcungoaigiao.net/uploads/files/goratasuxemuwexegesuvasam.pdfIn PDF document text
    • http://thesprotia.gr/uploads/file/fafig.pdfIn PDF document text
    • http://cctsjwhs.com/clients/0/08/08395bc9c2b8280888f0dabd04457394/File/wedajub.pdfIn PDF document text
    • http://sciencevier.com/wp-content/plugins/formcraft/file-upload/server/content/files/16089c911591f5---gokoxaberu.pdfIn PDF document text
    • https://ventana-sur.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ac6d14dde55.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/DOqCt-cVA4I/uplcv?utm_term=20+36+house+plan+west+facingPDF link annotation

Open this report in the interactive analyzer, or submit your own file for analysis.