Malicious PDF — malware analysis report

Static analysis result for SHA-256 d2d6b8780d3bfea1…

MALICIOUS

PDF

104.0 KB Created: 2021-06-23 05:05:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-04
MD5: 0818d5429dfba990a21b43d4098fb752 SHA-1: a16ebcffb3cbcc50734e17d7a1a92fdedb4e5f9c SHA-256: d2d6b8780d3bfea1627d4be21ecaa04df58b45d2fb5a079c70668d3fab49fe3f
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV. The file embeds a large number of external links characteristic of an SEO link farm, many hosted on compromised CMS upload directories. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier clean score 0.1535

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://a-kamen.com/userfiles/file/badigapab.pdf In PDF document text
    • http://xn----8sbaqfskngn1qi.xn--p1ai/userfiles/file/wovap.pdfIn PDF document text
    • http://ingatlantv.tv/userfiles/files/3931822698.pdfIn PDF document text
    • https://nguyenthelong.net/userfiles/files/popipumiluxazuwunuxati.pdfIn PDF document text
    • http://ntrc.biz/clients/f/f0/f0759d16aca5b3dfc9163ee994587b7f/File/31592646683.pdfIn PDF document text
    • http://nsdadventist.org/FCKData/file/dutadarase.pdfIn PDF document text
    • http://ophirtonhotel.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1609434928ebdf---gefidosiboj.pdfIn PDF document text
    • http://dogoducthien.com/uploads/files/36452517445.pdfIn PDF document text
    • https://primewestelectrical.com/wp-content/plugins/super-forms/uploads/php/files/36b3ee667d9f8a2e85d39cf24cb7cc62/82157354777.pdfIn PDF document text
    • https://ahha.az/userfiles/file/sonojanikegawofawaver.pdfIn PDF document text
    • https://phase1acoustics.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606e5b30c3e9f---dokegig.pdfIn PDF document text
    • https://maidintown.co.uk/wp-content/plugins/super-forms/uploads/php/files/d8f64dc47aa5cc3d837909b8274aef5d/57859827477.pdfIn PDF document text
    • http://www.hj-bouwt.be/wp-content/plugins/formcraft/file-upload/server/content/files/160bbf04e3afce---tiregivigulofezorogefer.pdfIn PDF document text
    • https://www.entornopublicitario.com/wp-content/plugins/super-forms/uploads/php/files/11611873596879745d36a32e1fe2ccdb/32612023231.pdfIn PDF document text
    • https://istanajp2.com/contents//files/pawibomurunevakaxaliwexo.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.orgThisIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/S30rS-6n6vg/uplcv?utm_term=treasure+hunt+clues+for+computerPDF link annotation
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://scripts.sil.org/In PDF document text
    • http://scripts.sil.org/OFLAbyssinicaIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off000144e8.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x144E8 32220 bytes
SHA-256: 15d1d82f6b817e48e547751ff0bb8d4ea14620781b41b719ec3b72f247681105
font_00_sfnt_off0000e579.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE579 7204 bytes
SHA-256: d79e1626b1163426cee799aaa5d4a7ce610dc297c30e229b3f592ef90acd1f1f
font_01_sfnt_off0000f7ed.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF7ED 3608 bytes
SHA-256: 993f990a52ea9b8d2fda683172b6cef8083f02c7eb13855b82979f2d95f801f4
font_02_sfnt_off000104b5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x104B5 5204 bytes
SHA-256: 778241fc42bf90053231d2c774d1dedaf5079ef7c04815a675e900e759aa0b7e
font_03_sfnt_off000115fc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x115FC 6288 bytes
SHA-256: 0e5abd17facb1c630e5d097c7fac67424adb9de7cc0de78d37be0f92c8f0c546
font_04_sfnt_off00012567.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12567 20768 bytes
SHA-256: 404cb6e3c54b6082a8b71e0c06f5f68222dbe93cbd67f2803738104b79bf34a3

Open this report in the interactive analyzer, or submit your own file for analysis.