Malicious PDF — malware analysis report

Static analysis result for SHA-256 cfc6e6ac10bda1bc…

MALICIOUS

PDF

115.1 KB Created: 2021-06-20 11:13:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8b1de06f01bb69a1ae1060fe45ac1839 SHA-1: 4b89caf57f81a4a111f3f88f50538d77887f420d SHA-256: cfc6e6ac10bda1bc6aa0a1ff5b3d1d8a9782abfc2b3588bdf3905977048555cd
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains numerous embedded URLs, many of which point to compromised websites and link farms. The ClamAV detection 'Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0' strongly suggests a phishing or trojanized document. The presence of multiple links to potentially malicious or compromised hosting indicates an attempt to lure users to malicious sites, likely for further exploitation or credential harvesting.

Machine Learning

  • Nyx PDF Classifier clean score 0.1400

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://au-zlato.sk/upload/files/lotadivipipizedapazeliwit.pdf
    • http://www.akutrans.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608bd52175dfc---37536397588.pdf
    • http://braintradingbcn.com/wp-content/plugins/super-forms/uploads/php/files/2b1ae94cb729c995c915305c02a8cceb/65851010778.pdf
    • https://marblobathware.com/app/webroot/img/files/25143117920.pdf
    • https://mission4recruitment.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607badb21ed7d---52584346241.pdf
    • http://amwordpress.org/wp-content/plugins/formcraft/file-upload/server/content/files/1606d0fee79011---29081377230.pdf
    • http://barcelonasixtytwo.com/userfiles/file/64814985684.pdf
    • https://iamluno.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a346ad8cbed---gutaveganonipufin.pdf
    • http://limpiasol.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607668df3d917---81765156659.pdf
    • http://sbsinternationalschool.org/sbsisnew/userfiles/file/wowovofivas.pdf
    • https://cbolean.com/wp-content/plugins/super-forms/uploads/php/files/vgmkkirg5u1ihqc44cbpgogmu0/9388414003.pdf
    • https://hiampelectric.com/wp-content/plugins/super-forms/uploads/php/files/d90a84af25ced7f07ae748cfd5637a0f/wikan.pdf
    • http://maekuangudomthara.com/ckfinder/userfiles/files/furan.pdf
    • http://erkerlaender.de/wp-content/plugins/formcraft/file-upload/server/content/files/160bd2a7f1a975---16988275961.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/skout/mBVl/~3/ngfLrbzwjls/uplcv?utm_term=insta+saver+story
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f197.bin
3d4760ca295192c89086870ebbac49c5a5945404ea6ab57fca452cf2db5f569a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF197 6440 bytes
font_01_sfnt_off0001015b.bin
1018adbc287380d7d37b729df0e021ecc241f344436a641e1b7f5e207a2819a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1015B 22032 bytes
font_02_sfnt_off000147d2.bin
0c8c1db89a3a47c6b7db14933bb8c85c7c82ed8cca9c616161e254578f2fc120		 pdf-font-stream PDF embedded font (sfnt) at offset 0x147D2 4744 bytes
font_03_sfnt_off000157cb.bin
7928f6bfcacf4b8c2218b012f30d6a688f7d600c2bceec2598b03ee34226b8f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x157CB 6340 bytes
font_04_sfnt_off00016757.bin
038b285839091072f8808c28dd8910574bf4c8e936b38588e87369796a4bbc7f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16757 6664 bytes
font_05_sfnt_off00017eb4.bin
2c27c191858d588a3807506700469b2bac35467bb70a1aae366ac82fb7947e30		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17EB4 13056 bytes
font_06_sfnt_off0001a8a4.bin
0a7a570872c17b809e138c2c04ecc0acfff6c3b6511e24d1809dedef75c2d4ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A8A4 17308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.