Malicious PDF — malware analysis report

Static analysis result for SHA-256 d4cc184d55b26457…

MALICIOUS

PDF

60.9 KB Created: 2021-09-25 23:50:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26
MD5: f4b41f72d11bd8e72c2c445a078a6dfe SHA-1: 77edcab0dc4553184fcfbd42ce4949355059d023 SHA-256: d4cc184d55b26457b5947ee1486166bde4fdd760a9257fc167c7124b80c58c63
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded URLs, many of which point to compromised CMS upload directories, suggesting a phishing or malware distribution scheme. The ClamAV detection and ML classifier further indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and URL patterns are consistent with a link farm designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7898

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://smidgel.ru/uplcv?utm_term=ezekiel+25+17+verse PDF link annotation
    • http://www.oneworldkarate.com/fckeditorimages/userfiles/file/34467704943.pdfIn PDF document text
    • http://leadingedgecorporate.com/user_images/file/9999155323.pdfIn PDF document text
    • https://sumangold.net.vn/wp-content/plugins/super-forms/uploads/php/files/0iqcju4k5e9oh1ohnal2p2jet9/89913706036.pdfIn PDF document text
    • http://parkingparts.com/Upfiles/file/nogojojuxofunujituduxuz.pdfIn PDF document text
    • https://preciseenergygroup.com/media/80271579578.pdfIn PDF document text
    • http://esejsc.com/upload/files/52764722183.pdfIn PDF document text
    • https://journeypeople.cc/wp-content/plugins/super-forms/uploads/php/files/15c22358d24250688973b82ba876d8d7/85015179042.pdfIn PDF document text
    • http://maginsaatmetal.com/resimlerfiles/kabapudumamefebapo.pdfIn PDF document text
    • https://cfbadalona.net/ckdata/files/zupozupasaluwaxeriz.pdfIn PDF document text
    • http://chothuethietbi.info/img/files/buwixozuk.pdfIn PDF document text
    • http://awarelaxcentrum.cz/user_files/file/22759717895.pdfIn PDF document text
    • https://larustt.com/upload/ckfinder/files/kanejitalunipoj.pdfIn PDF document text
    • http://vanhacollection.com/images/files/70439825926.pdfIn PDF document text
    • http://www.radiopopiatej.com/wp-content/plugins/formcraft/file-upload/server/content/files/161308ca5ac22c---latevuzalepunix.pdfIn PDF document text
    • http://torremaggiore.sitmap.it/files/files/pisilebezofonigopaxujaw.pdfIn PDF document text
    • http://www.medicalalliedtraining.com/wp-content/plugins/formcraft/file-upload/server/content/files/161361bb7e8f61---3673432012.pdfIn PDF document text
    • http://www.lukoilmarine.com/ckfinder/userfiles/files/lenosagagupopu.pdfIn PDF document text
    • https://markzone.az/wp-content/plugins/super-forms/uploads/php/files/p61o62oooafqcv3b65jsec9aad/piboronerofuxetilusa.pdfIn PDF document text
    • https://tp-pos.com/uploads/image/files/bimaxevi.pdfIn PDF document text
    • http://chono.mn/uploads/userfiles/files/sefutipogusuxusizim.pdfIn PDF document text
    • http://erpos.sk/data/files/17181820084.pdfIn PDF document text
    • https://shoppingplanet.ro/ckfinder/userfiles/files/56033307399.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b3c9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB3C9 18620 bytes
SHA-256: 7af15ea675f7a86de824f5e2ebda9bccbda15fd4e153809d7c3db80cc5db65b5

Open this report in the interactive analyzer, or submit your own file for analysis.