Malicious PDF — malware analysis report

Static analysis result for SHA-256 d14baf7820440b5a…

MALICIOUS

PDF

65.1 KB Created: 2021-07-06 19:47:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-31
MD5: 7977b6e17b2ebe092d1d6d629004397d SHA-1: cb7ac2feae3ba14aba6f977ca05a4c13c60010da SHA-256: d14baf7820440b5a27d3ac096c403f191c935207f16e9f0fc0e00fa36b2e6d3e
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier. It contains a large number of embedded URIs, many of which point to compromised WordPress installations used for hosting PDF files. This suggests a phishing or spam campaign designed to lure users to potentially malicious content hosted on these compromised sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5526

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crewmak.ru/uplcv?utm_term=meaning+of+legalisation PDF link annotation
    • https://www.elitelawnsolutions.co.uk/wp-content/plugins/super-forms/uploads/php/files/e953gjoubu3hikulvpb60nmaas/50702317611.pdfIn PDF document text
    • https://www.hamburgeriaagricola.com/wp-content/plugins/super-forms/uploads/php/files/fea2p5fad66u9pjrp60aevbnkg/23133796824.pdfIn PDF document text
    • http://sad-azov.ru/wp-content/plugins/super-forms/uploads/php/files/f8adf47edfbf651008b53208a7a0e515/78199815184.pdfIn PDF document text
    • http://ofipapel.org//ckfinder/userfiles/files/64971175024.pdfIn PDF document text
    • https://osikovo.eu/webroot/img/content/files/66148869572.pdfIn PDF document text
    • http://5m-tti.com/uploads/image/files/kewufejetu.pdfIn PDF document text
    • http://wagnerpc.com/userfiles/files/xugajiwunuxil.pdfIn PDF document text
    • https://alfa-pechati.ru/wp-content/plugins/super-forms/uploads/php/files/fb07846b2aa61ca6d7a3c7e2d045770a/86475349300.pdfIn PDF document text
    • http://jockmurray.com/wp-content/plugins/formcraft/file-upload/server/content/files/160799f2f3750f---kajiz.pdfIn PDF document text
    • http://technocom.pl/editor/file/mifuxozenuse.pdfIn PDF document text
    • https://yourlightingbrand.com/wp-content/plugins/super-forms/uploads/php/files/f24ca8d5e406405cf34beee8f5b2b8dd/31507611700.pdfIn PDF document text
    • http://akbmodel.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609439316c73a---jeduzexo.pdfIn PDF document text
    • http://chothuethietbi.info/img/files/nonudobarivujene.pdfIn PDF document text
    • https://christembassyromford.org/wp-content/plugins/super-forms/uploads/php/files/42993f4c8e443e2ac467e8b3763ffffc/sifolavexabusud.pdfIn PDF document text
    • https://ecoinkworld.com/wp-content/plugins/super-forms/uploads/php/files/e9e2824082adc884d708213a1b6b12fe/lalubojopezi.pdfIn PDF document text
    • http://104.156.58.56/~web2inbox/wp-content/plugins/formcraft/file-upload/server/content/files/1608a158d77fd7---55161740058.pdfPDF link annotation
    • http://batiment-tunisie.com/userfiles/file/xakupuxovikawozobupikomu.pdfIn PDF document text
    • https://francois-daulte.com/ckfinder/userfiles/files/22487839250.pdfIn PDF document text
    • http://www.ferm-matic.fr/upload/file/90584029741.pdfIn PDF document text
    • https://condominiovillage.com/userfiles/file/40152562035.pdfIn PDF document text
    • https://baconbites.com/wp-content/plugins/super-forms/uploads/php/files/026ls1o1pbeh2ur3ootmdg85f6/kasewuxomimerafulagene.pdfIn PDF document text
    • http://modelkyujin.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b6a12851e13---29540150743.pdfIn PDF document text
    • https://maydongy.com/wp-content/plugins/super-forms/uploads/php/files/6pu59aa8bp7n171epbq8j0jlbc/punod.pdfIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.