Malicious PDF — malware analysis report

Static analysis result for SHA-256 ce34a29c5453ae23…

MALICIOUS

PDF

72.0 KB Created: 2021-07-10 08:59:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: b1acdc4c2855743052ed2bdc1ddac812 SHA-1: 1de561928cc20a2a6ca6be978238f4429ffa3161 SHA-256: ce34a29c5453ae235bd67e9e85eb41d86a108f9c99d2f3d0808821445733556b
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains numerous embedded URLs, many of which point to compromised WordPress sites. The ClamAV heuristic identifies this as a phishing trojan. The primary attack pattern involves luring users to click on these links, which are likely designed to lead to further malicious content or exploits.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4988

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://endustriyelkiralama.com/wp-content/plugins/super-forms/uploads/php/files/f1hvulj5511k7s1ussm3idc9kr/xetunidobalepubosa.pdf In PDF document text
    • http://www.sparkprototypes.com/wp-content/plugins/formcraft/file-upload/server/content/files/16097da210aaf6---18976476454.pdfIn PDF document text
    • https://gpuhub.net/wp-content/plugins/super-forms/uploads/php/files/0r2ueirfa0j4m8lfj3nnbme899/baboxigare.pdfIn PDF document text
    • https://xn--faade-mtal-p6a3a.ch/ckfinder/userfiles/files/wopevegukowudijusezamo.pdfIn PDF document text
    • http://alhouti.com/userfiles/file/56795270911.pdfIn PDF document text
    • http://transcash.com/ci/userfiles/files/49258980236.pdfIn PDF document text
    • http://55pluscommunityspecialist.com/userfiles/files/povolitepusatapovuzaxaz.pdfIn PDF document text
    • http://agriturismolescuderie.eu/userfiles/files/silawazexa.pdfIn PDF document text
    • http://work4shop.cz/userfiles/file/xixigop.pdfIn PDF document text
    • https://bursaceviritercume.com/wp-content/plugins/formcraft/file-upload/server/content/files/16095d4491c65d---xumirodimenigunuwusox.pdfIn PDF document text
    • http://aranykoronakft.hu/userfiles/file/58962559967.pdfIn PDF document text
    • http://www.dj-csnl.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160ce4792bb097---muvebemubilup.pdfIn PDF document text
    • https://awlights.com/wp-content/plugins/super-forms/uploads/php/files/05b1ec08bdc7cecd52aea67d8b3cb59d/fajifodisidumetumezeguke.pdfIn PDF document text
    • https://www.kcequipment.com.au/wp-content/plugins/super-forms/uploads/php/files/340b5d7e47f3483859d08aec30e5948c/77973196052.pdfIn PDF document text
    • https://www.growxponential.com/wp-content/plugins/super-forms/uploads/php/files/om1npad2t7un8ejpl71lgjmnpj/31164159750.pdfIn PDF document text
    • https://digidatadecolombia.com/wp-content/plugins/super-forms/uploads/php/files/c4ae9fca16033a81dc9fcdf5be1875a5/xijemopile.pdfIn PDF document text
    • http://erbilsunhotel.com/wp-content/plugins/super-forms/uploads/php/files/kejgddd14cv0p2moeum8hkred0/jiragogufipopukedemeti.pdfIn PDF document text
    • https://www.elementstraining.co.uk/wp-content/plugins/super-forms/uploads/php/files/bg2a4o1fp8kc73kn3rskanpo2t/lirimimugatapofivekese.pdfIn PDF document text
    • http://raylutickenterprises.com/userfiles/files/89954210902.pdfIn PDF document text
    • http://jinistudy.com/_UploadFile/Images/file/38900138162.pdfIn PDF document text
    • https://arrayamed.com/userfiles/file/83176541888.pdfIn PDF document text
    • http://cesishotel.com/res/wysiwyg/file/20881039897.pdfIn PDF document text
    • http://learnersdigest.org/userfiles/file/97142612458.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/YTWXjIUwRh0/uplcv?utm_term=droidadmin+for+iphonePDF link annotation

Open this report in the interactive analyzer, or submit your own file for analysis.