Malicious PDF — malware analysis report

Static analysis result for SHA-256 d46c3638e4e942c5…

MALICIOUS

PDF

62.4 KB Created: 2021-06-30 21:36:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-20
MD5: 0b5115b6ebdc8ba628efa1c56b50460c SHA-1: 3bffe2a79c90f241ee186c2d68b39fb0487ce668 SHA-256: d46c3638e4e942c58d086304384b36a1d250461096e9b8f326f769ff1ff4c2d4
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV and an ML classifier, with heuristics indicating a malformed exploit stream and a link farm pointing to compromised CMS uploads. The document body is unreadable, but the presence of numerous external URIs, many hosted on compromised WordPress sites, suggests a phishing or malware distribution attempt. No scripts were extracted, but the PDF structure itself likely facilitates the redirection to these malicious URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6065

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.webtony.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16072437bb89cd---29426927889.pdf In PDF document text
    • http://creatinglifeoptions.com/userfiles/files/pexaridapid.pdfIn PDF document text
    • http://pneusmarene.it/images/file/21198478531.pdfIn PDF document text
    • https://adiwirawanbali.com/wp-content/plugins/super-forms/uploads/php/files/c32da22e54701eaa7b793ff446d207c8/274025678.pdfIn PDF document text
    • https://arihantgranites.in/wp-content/plugins/super-forms/uploads/php/files/731q9872p3dd8bojao0ek3urb4/66449925753.pdfIn PDF document text
    • https://www.ltgpartners.com/wp-content/plugins/super-forms/uploads/php/files/bfa77993832c4ccc8c9f472772bc850d/jakugetowevuvopu.pdfIn PDF document text
    • http://seigyobannkaigaikikaku.com/ckfinder/userfiles/files/10786009500.pdfIn PDF document text
    • https://www.quatainvestimentos.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160b59f0197e1b---42446998072.pdfIn PDF document text
    • http://drstevealbrecht.com/wp-content/plugins/super-forms/uploads/php/files/447c382eb09833f025616e470cd68549/jipugefek.pdfIn PDF document text
    • http://www.farparts.cl/wp-content/plugins/formcraft/file-upload/server/content/files/1607ce2c330a87---40961626218.pdfIn PDF document text
    • https://evg-prague.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1607f43eae465c---80152074491.pdfIn PDF document text
    • https://szabobuszrendeles.hu/files/files/labalemuronab.pdfIn PDF document text
    • https://jetzterstrecht.hamburg/wp-content/plugins/super-forms/uploads/php/files/6hmoodah89537vfjdka1u1jib7/ruzixarazugizajofa.pdfIn PDF document text
    • https://levin-dent.ru/wp-content/plugins/super-forms/uploads/php/files/8bc27b16d09fd70c6a00184a2c603a10/29671787811.pdfIn PDF document text
    • http://crystalnymph.by/wp-content/plugins/super-forms/uploads/php/files/e77f924331f084dd71a55eaae54574ff/kajaduziporidag.pdfIn PDF document text
    • http://cunningham-reunion.com/clients/7/73/7399477c88ef979e1ad3ac38e42cffcc/File/kobuvid.pdfIn PDF document text
    • http://www.thelawchamber.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608abd2615ddc---22835382223.pdfIn PDF document text
    • http://e2ingenieros.com/ckfinder/userfiles/files/xutuvibewi.pdfIn PDF document text
    • https://ascinfratech.com/clientprojects/trading/file/nifixarunivoseju.pdfIn PDF document text
    • https://feng-shuiworld.com/userfiles/file/sozovozegupoguxovavazis.pdfIn PDF document text
    • https://brandonsmilesdentistry.com/wp-content/plugins/super-forms/uploads/php/files/fcm9c3k9ftf42krvf2g1ra4h86/47729710946.pdfIn PDF document text
    • http://tjsijiqing.com/ckfinder/userfiles/files/2021/0625/834d3ebcea5cdcd63237f9f7b5728114.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/ngfLrbzwjls/uplcv?utm_term=important+question+answer+of+economics+class+12PDF link annotation

Open this report in the interactive analyzer, or submit your own file for analysis.