Malicious PDF — malware analysis report

Static analysis result for SHA-256 cebf1810914c797c…

MALICIOUS

PDF

159.5 KB Created: 2021-06-19 15:41:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-26
MD5: d6621a12c2a75f04b4eea961a2e0eda1 SHA-1: c5d3fb947e83aedce2d525316281d9daf2c1f64c SHA-256: cebf1810914c797c335ff85c60370c17244705490a0fc39feaf2318c622b9bc6
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous links to external websites, many of which appear to be compromised WordPress installations or disposable hosting. The ClamAV detection 'Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0' strongly suggests malicious intent, likely phishing or malware distribution. The document body's reference to 'download fast and furious 9 hd' serves as a lure to entice users to click on the embedded malicious links.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2863

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://huntic.ru/uplcv?utm_term=download+fast+and+furious+9+hd PDF link annotation
    • http://pierrevillers.fr/mairie_files/file/3955438383.pdfIn PDF document text
    • http://greece-ex.com/images/blog//file/pasifewopixajinaxome.pdfIn PDF document text
    • http://opalsolar.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16075069d409d1---vamej.pdfIn PDF document text
    • http://www.kmclogistics.com/wp-content/plugins/super-forms/uploads/php/files/d267fdab95872dd66e899763c49f8acd/legaban.pdfIn PDF document text
    • https://thejasmineway.net/wp-content/plugins/super-forms/uploads/php/files/9m24ju5tbern3kpatofjmdo3dm/videpetoguwedabasel.pdfIn PDF document text
    • http://www.ncstarim.com.tr/wp-content/plugins/super-forms/uploads/php/files/sfh1dsbos0h0kb4erka0h698q3/dasopadexunefed.pdfIn PDF document text
    • http://chi-kara.net/userfiles/file/fapuponijizurokusazurijew.pdfIn PDF document text
    • https://www.makathastaliklari.net/wp-content/plugins/formcraft/file-upload/server/content/files/1607def4dbc5bd---79891113696.pdfIn PDF document text
    • https://vickers-electronics.co.uk/wp-content/plugins/super-forms/uploads/php/files/4367a4499ac30d691a95aab691d54b6f/73537127095.pdfIn PDF document text
    • http://vuatoyen.com/uploads/userfiles/file/firobinefoseraz.pdfIn PDF document text
    • http://acmemask.com/upfiles/editor/files/wubamom.pdfIn PDF document text
    • http://bamt.be/wp-content/plugins/formcraft/file-upload/server/content/files/1606d7bf38c17d---fexigeroliwiwusugima.pdfIn PDF document text
    • https://controlcert.se/wp-content/plugins/formcraft/file-upload/server/content/files/160a880776afe5---pagigipijorojiziwu.pdfIn PDF document text
    • https://summit-christian-academy.net/scauserfiles/files/ruwis.pdfIn PDF document text
    • http://www.fattyweng.com.sg/wp-content/plugins/formcraft/file-upload/server/content/files/16084bbcde7349---50115024121.pdfIn PDF document text
    • https://makemycake.gr/wp-content/plugins/super-forms/uploads/php/files/9aq15n3u4qjq0en7o974867kg8/jojemaxasosotano.pdfIn PDF document text
    • https://joebalogh.ro/imagini_ws/lipegasijiwutigudo.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e929.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE929 104640 bytes
SHA-256: 7105cc35f7742cb4e77221939ba35db4e52ed810e08671e089be958355dc3d62
font_01_sfnt_off00021e83.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x21E83 5240 bytes
SHA-256: 8b02ad0e6c604be13150c198a8031c5b0570ca98750ef591d101529760e03b9d
font_02_sfnt_off0002305c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2305C 2288 bytes
SHA-256: 3a14ab69a8b12e47d594e4d31ff49bbb89731765a55fb2c3f8087a1c7584994c
font_03_sfnt_off00023ac1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x23AC1 10672 bytes
SHA-256: 71c7fac414519394b26588df96fd552613c76625ebb623a05bdb96871e40fbf3
font_04_sfnt_off00025f6e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x25F6E 19840 bytes
SHA-256: f483479217618687cda18dfa2f61a330706b28f768cdf7a2e45d9f60d9a12e39