Malicious PDF — malware analysis report

Static analysis result for SHA-256 cbf1af311db9d5ed…

MALICIOUS

PDF

72.1 KB Created: 2021-09-03 20:07:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: aee425255426d525b3d7003ad003e8ab SHA-1: f32aada67c7760a2715b427e18413b4e786cee97 SHA-256: cbf1af311db9d5ed293a43005b8202e2c888927c4a7c6d047ddbb038ec3bd38d
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected by ClamAV as a phishing trojan. Static analysis revealed multiple links pointing to compromised WordPress upload directories, suggesting a link farm designed to redirect users. The presence of these links and the ClamAV detection strongly indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4060

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bf-pomosch.ru/wp-content/plugins/super-forms/uploads/php/files/n4vfulrvslb0utalnespeakne4/xotunebigujize.pdf In PDF document text
    • https://coloreverything.love/wp-content/plugins/super-forms/uploads/php/files/708ef6ea8815d7c216529e6b4976c4e0/16928547761.pdfIn PDF document text
    • http://medicamarsala.it/userfiles/files/jilovozipigovifejig.pdfIn PDF document text
    • https://mariellatriolo.it/public/file/55418832893.pdfIn PDF document text
    • https://seataclightingalaska.com/wp-content/plugins/super-forms/uploads/php/files/8ed0454d45383dbfa46eaf0171ac32b2/satunigapuwima.pdfIn PDF document text
    • http://119pump.net/d/files/14622847662.pdfIn PDF document text
    • http://trunghungplastic.com/luutru/files/63342563908.pdfIn PDF document text
    • https://esprimagroup.com/userfiles/file/dinav.pdfIn PDF document text
    • https://akdenizokullari.k12.tr/wp-content/plugins/super-forms/uploads/php/files/croqpcg9vus8dtd1s8sic8dgbs/bowukudegeb.pdfIn PDF document text
    • http://www.southforconstruction.com/frontend/web/ckfinder/userfiles/files/renisenenutaxuziwefitakuk.pdfIn PDF document text
    • http://www.rotudavid.com/ckfinder/userfiles/files/fawugoxuvigagavoxiwowiwi.pdfIn PDF document text
    • http://vasilii-orlov.fun/wp-content/plugins/super-forms/uploads/php/files/95a3460fe007f30d0d06f2bb42db22e1/domefaxelalefikim.pdfIn PDF document text
    • http://workprohealth.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608667fd89c0e---17757265445.pdfIn PDF document text
    • https://www.certificagreen.com/wp-content/plugins/formcraft/file-upload/server/content/files/16127d75ce4c5a---75988700233.pdfIn PDF document text
    • http://ats-dz.com/userfiles/file/fosexekas.pdfIn PDF document text
    • http://didula.ru/img/file/38196363213.pdfIn PDF document text
    • http://ipublicity.cz/data/file/82643487636.pdfIn PDF document text
    • https://www.webhisto.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1612398c0a61a8---75208233343.pdfIn PDF document text
    • http://ikkosushi.com/uploads/files/87345453432.pdfIn PDF document text
    • https://o2opr.co/userfiles/files/85874104862.pdfIn PDF document text
    • https://chp-travel.ir/data/file/57501291676.pdfIn PDF document text
    • http://aci-immobilier-douai.fr/userfiles/files/6718853920.pdfIn PDF document text
    • https://yourtuscanyguide.com/wp-content/plugins/super-forms/uploads/php/files/070qvkh8fduq91t0plni2etot0/kuzezemujosapuxeluf.pdfIn PDF document text
    • https://hagakure.by/upload/editor/files/jujapumorixoka.pdfIn PDF document text
    • http://payassistinc.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608267758f1dc---fowigid.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/FevRqgeaUVY/uplcv?utm_term=motorola+apx6000li+manualPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cb9a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCB9A 17964 bytes
SHA-256: a48abcf09872d6ae40026900b68a9d372ea1d04e22ed6ff2bb90a191fbe291e7
font_01_sfnt_off0000faa5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFAA5 10600 bytes
SHA-256: feb421653ef5d39cc76009d94a07959dbdb312065f19ddccf551713fb6b80c5b