Malicious PDF — malware analysis report

Static analysis result for SHA-256 d093d2a2554ad40b…

MALICIOUS

PDF

73.4 KB Created: 2021-09-05 13:28:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: cf069f3b6706d9a22fbed31e315ca67e SHA-1: 33658ddc385c80ef89ed7e0d6d311766cc7cf16a SHA-256: d093d2a2554ad40bd0fc7a1897a509af9ffbdfc91756c79d109d247cd464e4d7
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a link farm pointing to numerous compromised WordPress sites, which in turn host other PDF files. This suggests a tactic to manipulate search engine results or distribute malicious content. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports a malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4925

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://poexali.org/static/image/_u/system/files/neginabokoroxano.pdf
    • https://veglifekc.org/wp-content/plugins/super-forms/uploads/php/files//lopumefu.pdf
    • https://humanistbeauty.com/wp-content/plugins/super-forms/uploads/php/files/3h932ubabco0q4tuaok833cmb1/remanu.pdf
    • http://cuanhuaabshanquoc.vn/files/63563511497.pdf
    • https://baconbites.com/wp-content/plugins/super-forms/uploads/php/files/r6oibgnnqh0pudjblh4ts56nk6/39681414960.pdf
    • http://studio-orlandini.com/userfiles/files/49931633106.pdf
    • http://www.oknookna.pl/wp-content/plugins/formcraft/file-upload/server/content/files/1606d186f4b35b---99954365711.pdf
    • http://manhchenang.vn/webroot/img/files/topinoxopikaponarowun.pdf
    • http://es-umzuege-transporte.de/wp-content/plugins/super-forms/uploads/php/files/4a6e1ee3305c0f571ec6da6937a4a8ab/tebakevoxidetavolezenewuk.pdf
    • http://71mhsreunion.com/clients/f/fd/fd19d29f3ef40f7e1d0269d1df38e7d4/File/59058537828.pdf
    • http://dom-nenilovo.ru/wp-content/plugins/super-forms/uploads/php/files/3d1c45cb4904e73050ae114e5aaa6eb2/menip.pdf
    • http://tiendanatacion.com/noticias/files/kaxagazoso.pdf
    • http://sarljarry.fr/userfiles/file/rizujiwasav.pdf
    • https://giorgiosantinelli.it/file/1689989215.pdf
    • http://dringraldi.com/clients/7/73/73ccc230e5ee2b020474e4a43bcd07af/File/dofavexugorudini.pdf
    • https://functionalmovement.gr/wp-content/plugins/super-forms/uploads/php/files/901e5c5a9d1d42621a49bf1bc7ffe999/91132420535.pdf
    • https://mnlex.it/file/91168826032.pdf
    • http://yachtandgulet.com/userfiles/file/zusifaw.pdf
    • http://xn----7sbakif2a3azdub.xn--p1ai/admin/ckfinder/userfiles/files/nofanasapu.pdf
    • http://www.louthadventures.ie/wp-content/plugins/formcraft/file-upload/server/content/files/1607794453475c---59234157562.pdf
    • http://woodbridgeabw.com/uploads/files/subade.pdf
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160825b621a370---vawusegikiwozukegedo.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/A3Ryygt5BCM/uplcv?utm_term=digestive+system+lesson+plan+pdf
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cc4e.bin
b1449c8fe4c609ce223f56f63d5d31bb54b1475989aefaf40a0e3070384c68fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCC4E 16880 bytes
font_01_sfnt_off0000f80b.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF80B 16792 bytes
font_02_sfnt_off00011022.bin
c0a12e92ae13a9241f5e6e37a0ffee1bdfcb199e38a418e0d386d5e22703df75		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11022 10924 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.