Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3c084c7a41784bb…

MALICIOUS

PDF

69.8 KB Created: 2021-06-18 00:38:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-05
MD5: e6877a78eed13d1aa5a658d11f7c1402 SHA-1: 8402ffe29dd7cd93cb0e6bd828ef4a2a6ae62566 SHA-256: d3c084c7a41784bb2e04b1029d3dd3bf626f68815e7abd9581988c77de2d430b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains numerous links to external websites, many of which are hosted on compromised WordPress installations. The document body suggests a lure related to movie downloads, indicating a phishing or malware distribution attempt. The presence of multiple external URIs and the ML classifier's high confidence score support this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9754

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://laborke.ru/uplcv?utm_term=the+hunger+games+catching+fire+dual+audio+300mb+worldfree4u PDF link annotation
    • https://www.paparazzirestaurant.com.au/wp-content/plugins/super-forms/uploads/php/files/a8b808c768665c0648830bc3888e3ff8/9282912199.pdfIn PDF document text
    • https://noukos.gr/wp-content/plugins/formcraft/file-upload/server/content/files/16083a886a3656---kiwibuzaxatorifadubolaves.pdfIn PDF document text
    • https://vidolamerica.org/wp-content/plugins/super-forms/uploads/php/files/229004be0745ac86c2b7241fddab437c/33652547975.pdfIn PDF document text
    • http://www.uppld.org/wp-content/plugins/formcraft/file-upload/server/content/files/160c3d27143975---jalepakonikejekasudip.pdfIn PDF document text
    • http://b-solutions.net/userfiles/file/nejugofojajepuwo.pdfIn PDF document text
    • https://www.treehousecare.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607a8a143b239---lojarezitigir.pdfIn PDF document text
    • https://www.ogblfrontaliers.fr/wp-content/plugins/super-forms/uploads/php/files/09habgm55m56437fe39gele28d/jilodi.pdfIn PDF document text
    • http://www.oschouston.com/osc/wp-content/plugins/formcraft/file-upload/server/content/files/160aa443b770d1---ridinimesexixera.pdfIn PDF document text
    • http://ne-moloko.ee/wp-content/plugins/super-forms/uploads/php/files/5b6c9286bcbd5f6eee4fbb876c10cd79/mavudafemejivamef.pdfIn PDF document text
    • http://greatnice.club/updatefiles/file/losisiledanati.pdfIn PDF document text
    • https://www.frankcapassoandsons.com/wp-content/plugins/formcraft/file-upload/server/content/files/16099f56d76174---sowikavuzorinisutifokap.pdfIn PDF document text
    • http://box8websites.com/ckfinder/userfiles/files/45339822357.pdfIn PDF document text
    • http://morgancountyoh.com/userimages/85916857590.pdfIn PDF document text
    • https://pensiunea-escape.ro/ckfinder/userfiles/files/38530123300.pdfIn PDF document text
    • https://specialbrands.gr/wp-content/plugins/super-forms/uploads/php/files/d7e0c95ab872a2bf946683a08132b368/4351847137.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d601.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD601 6744 bytes
SHA-256: 0eac1552a6a0cc8d6d43e14f5c157d052ff2bf21460314f67a2c213e0a454e63
font_01_sfnt_off0000e6e8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE6E8 5892 bytes
SHA-256: 3a733783f9f753f00160266d144a71366c033037b714e5279c0e87473afe63ab
font_02_sfnt_off0000fac6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFAC6 1704 bytes
SHA-256: d4ed4897cac276ad8b4432568dbc6a6dc4e77cab6327dc0d74daf3897b35b229

Open this report in the interactive analyzer, or submit your own file for analysis.