Malicious PDF — malware analysis report

Static analysis result for SHA-256 d57648828560dc32…

MALICIOUS

PDF

80.0 KB Created: 2021-06-21 01:30:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-17
MD5: afeee60ab26be3f74dd083c5f521df45 SHA-1: bda8ce4368f49681dc9b62aa23f6e6959ba6c525 SHA-256: d57648828560dc32576d8af6d82592db17bc14967f19278acdbf3a444656bbe8
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous links to compromised WordPress sites, suggesting it is part of a link farm designed to distribute malware or phish for credentials. The document body, though heavily corrupted, contains text related to 'Pokemon shield download pc', likely a lure to entice users to click on the embedded malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9537

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://schreinerheusi.de/wp-content/plugins/formcraft/file-upload/server/content/files/160b399300eb45---69307459408.pdf In PDF document text
    • https://dmddsgn.com/wp-content/plugins/super-forms/uploads/php/files/bfaff9bdcd024b1ce88dcee5388b569f/rozesibetegiju.pdfIn PDF document text
    • http://www.cascinasorigherio.it/wp-content/plugins/formcraft/file-upload/server/content/files/160b9461e22da8---vodulibufisi.pdfIn PDF document text
    • http://xn--b1ahhafccpgkb2bxo.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/e757f66c252a0827dec366e4aeadcd31/lipalesutiriduto.pdfIn PDF document text
    • https://loctra.net/userfiles/file/53077699065.pdfIn PDF document text
    • https://transcendenceit.com/wp-content/plugins/super-forms/uploads/php/files/4875e8df4bf6d83ed35cc6c37783467f/27642133186.pdfIn PDF document text
    • http://xn----8sbpvg0afdbe.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/rjd9f9sm8m0lceat5gosu7e6i1/61365157085.pdfIn PDF document text
    • http://dekoblickfang.de/userfiles/file/89463251484.pdfIn PDF document text
    • http://budohurtsa.pl/userfiles/file/5464316056.pdfIn PDF document text
    • http://www.kmclogistics.com/wp-content/plugins/super-forms/uploads/php/files/4c938bfd1350cb3380bf5a12e112eba5/75054075003.pdfIn PDF document text
    • https://www.dekleinewerf.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160b0f11a2da51---41896619798.pdfIn PDF document text
    • https://callhfelectric.com/wp-content/plugins/formcraft/file-upload/server/content/files/16086840861375---90211762494.pdfIn PDF document text
    • http://wamer.org/userfiles/file/7949104152.pdfIn PDF document text
    • http://www.x454.com/wp-content/plugins/super-forms/uploads/php/files/ela3bohqj8b2c988ukj5i4bi53/xelus.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/BkSY9tpko7c/uplcv?utm_term=pok%25C3%25A9mon+shield+download+pcPDF link annotation
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010e40.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10E40 5516 bytes
SHA-256: ee100f025235f8a1d2b50959c646671dcaad298b5faa48521d116a379c977457