Malicious PDF — malware analysis report

Static analysis result for SHA-256 d0845028655d05a6…

MALICIOUS

PDF

64.2 KB Created: 2021-09-02 19:51:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-24
MD5: efd4bb61e4f7df074390be4b16d949b3 SHA-1: 61eafd0d70688f99d36e11cd86e9e2e0226258c8 SHA-256: d0845028655d05a6e300a1ae34fe62d80d0ac6deef7cd109e366e4f3e933a679
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded URLs, many of which point to compromised or disposable hosting. Heuristics indicate this is a link farm designed to obscure the true destination, and ClamAV detection confirms its malicious nature. The ML classifier also flagged it as malicious, suggesting a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7605

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.agot.pl/upload/file/zivuxavitenalegog.pdf In PDF document text
    • http://lmleadmanagement.com/userfiles/files/larome.pdfIn PDF document text
    • https://xn--mgbaf4adbs1bd2i.net/upload/ckfinder/files/laxibetuwad.pdfIn PDF document text
    • https://thietbixaydungcantho.com/canthomobile2/public/images/sanpham/files/7503154727.pdfIn PDF document text
    • http://seidels-mineralienwelt.de/images/uploaded/file/pifowudajadikapasapasi.pdfIn PDF document text
    • http://maility.pl_adresuserfiles/file/38894527121.pdfIn PDF document text
    • http://dentalclinicbangalore.com/uploads/foxera.pdfIn PDF document text
    • https://topinsolventa.ro/userfiles/file/52667270124.pdfIn PDF document text
    • http://escritacontabilidade.net/fotos/news/file/49110143426.pdfIn PDF document text
    • https://gotamsui.com/ck_imgs/files/kotumovivigiletowerijigib.pdfIn PDF document text
    • https://ngoctraithaibinhduong.com/uploads/news_file/vudoturatov.pdfIn PDF document text
    • https://www.varishastalari.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c87c762ea3---12341717194.pdfIn PDF document text
    • https://www.mercato.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/16075601495867---64486798037.pdfIn PDF document text
    • http://jirehenl.com/userfiles/file/04094322695.pdfIn PDF document text
    • https://datawire.gr/files/files/63282755525.pdfIn PDF document text
    • http://www.nbrownies.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1606f4ac5eaf2d---jesovenazupewidawafapel.pdfIn PDF document text
    • http://funperm.ru/content/file/tumodinuxawelero.pdfIn PDF document text
    • http://www.belladermeestetica.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160871482e2a8c---5752748364.pdfIn PDF document text
    • https://alphacleanwashing.com/wp-content/plugins/super-forms/uploads/php/files/15d31f2d2529db0b0bdba60d8983dc02/lutaledamilu.pdfIn PDF document text
    • http://geose.ru/userfiles/file/rezirumiwowoxaminat.pdfIn PDF document text
    • http://bangdientunhk.com/upload/files/59386796582.pdfIn PDF document text
    • http://www.consorcio.edu.pe/wp-content/plugins/formcraft/file-upload/server/content/files/160c1758b58ddc---fexipufazijo.pdfIn PDF document text
    • http://kulturazebrak.cz/userfiles/37907685533.pdfIn PDF document text
    • https://hgb.se/filer/file/nekivan.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/3CAf4wW3hvY/uplcv?utm_term=anemia+de+celulas+falciformes+en+pediatria+pdfPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e9c7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE9C7 10864 bytes
SHA-256: 31d222566da33ad90b44dfa5ce53bc3f113787d6961f752afca27f6b8ea8c159