Malicious PDF — malware analysis report

Static analysis result for SHA-256 ce6c0fb3e4e6aa36…

MALICIOUS

PDF

170.8 KB Created: 2021-06-11 13:07:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-05
MD5: 637d4fdfee6958392575a49a4ef58f85 SHA-1: 67df9a7869f6ccb5e16f4bc547631fd530fe848f SHA-256: ce6c0fb3e4e6aa3615d76b20e6a8c85e2e1012bb957ba39c0459dced847ae325
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous external links, many pointing to compromised WordPress sites or disposable hosting, suggesting a link farm used for phishing or malware distribution. The presence of embedded URLs and the nature of the heuristics strongly suggest this document is part of a phishing campaign, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9625

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://coretry.ru/uplcv?utm_term=the+testament+of+sister+new+devil+episode+2 PDF link annotation
    • https://valserve.in/web/k/main_admin/ckfinder/userfiles/files/4576509125.pdfIn PDF document text
    • https://jaunimodienos.lt/wp-content/plugins/super-forms/uploads/php/files/r2ebn4ie61ggfnaa62i6qkfc6n/33754502619.pdfIn PDF document text
    • http://www.etoiles-recrutement.com/wp-content/plugins/formcraft/file-upload/server/content/files/160832ecb5be63---kujejiwegoronis.pdfIn PDF document text
    • http://jointrilogy.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609c944a3a69b---95469309572.pdfIn PDF document text
    • https://www.lesson-online.org/wp-content/plugins/super-forms/uploads/php/files/ldq92qv6nrdraf2aqd9eelkl85/68210836747.pdfIn PDF document text
    • http://www.iycadana.org/wp-content/plugins/super-forms/uploads/php/files/h707bnvon1acog5aa405crp560/pipebofuko.pdfIn PDF document text
    • http://www.medical-psychology.gr/wp-content/plugins/formcraft/file-upload/server/content/files/1608134ebbe4b6---64217470867.pdfIn PDF document text
    • http://shinies.ru/img/lib/file/86233095009.pdfIn PDF document text
    • https://ercrs.org/wp-content/plugins/super-forms/uploads/php/files/s871moi5gmivvdi65o7mo6v758/wixigasavosagupolun.pdfIn PDF document text
    • http://auto-spec.ca/fck/file/desanugugafexawe.pdfIn PDF document text
    • http://brainbond.ro/userfiles/file/5128904822.pdfIn PDF document text
    • http://christembassydocklands.org/wp-content/plugins/super-forms/uploads/php/files/177526e7d2e94fcab2e03ace6e0970f7/fugeneselowekodutoxomoza.pdfIn PDF document text
    • http://webscape.co.bw/wp-content/plugins/formcraft/file-upload/server/content/files/16081ee597eb15---lizebofewarasizubuvib.pdfIn PDF document text
    • https://drainscovers.com/wp-content/plugins/super-forms/uploads/php/files/a60d6d84cd199d79ed2375d59a7e7d80/43404199137.pdfIn PDF document text
    • http://a-swiss.com/upload/userfiles/file/lefazilipobo.pdfIn PDF document text
    • https://mission4recruitment.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609fcbbb03293---mabevib.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001fa13.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1FA13 42052 bytes
SHA-256: 0110b3c1bee3b5a1a8e4080d8be13f5bf459c065b60cb3c5fc03803fac5117e7
font_01_sfnt_off00027c01.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x27C01 5516 bytes
SHA-256: 8c9b61e3f3959df6053e9410f7e53697b708b188b1bf0ded8f85d961a41e1280

Open this report in the interactive analyzer, or submit your own file for analysis.