Malicious PDF — malware analysis report

Static analysis result for SHA-256 d588311d75f8cb3d…

MALICIOUS

PDF

65.6 KB Created: 2021-09-25 21:23:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 7c29ec945d11f7c4afed7f8e8ea0589f SHA-1: 2b4a12b4b2c65d6410842617f7c02b832457f35b SHA-256: d588311d75f8cb3ddde87f82576d4fb50cb8c7a11c37f233bda0ecffc653c317
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was identified as malicious by ClamAV and an ML classifier. Static analysis revealed it functions as a link farm, containing numerous URLs pointing to various domains, some of which are hosted on compromised CMS platforms. The presence of multiple links, including those with 'utm_term' parameters, suggests an attempt to lure users to potentially malicious or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5953

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://clinicaabrahaoosta.com.br/ckfinder/userfiles/files/79473399868.pdf
    • http://premiumresourcing.com/wp-content/plugins/formcraft/file-upload/server/content/files/16141545faf894---sorilajibapadamigodabod.pdf
    • http://lamekatus.com/uploads/ckeditor/files/sakexevanadone.pdf
    • http://ropesadventure.com/d/files/67961327990.pdf
    • http://rezidencianestor.sk/app/webroot/files/ckeditor/files/72201550200.pdf
    • https://xn--nmqu14inmf.com/upload/files/65636610993.pdf
    • https://manage3.realtourvision.com/rtv/ckfinder/userfiles/images/files/xidekigivo.pdf
    • http://xn--nellieskche-0hb.de/userfiles/file/59884617049.pdf
    • http://tupnate.com/ckfinder/userfiles/files/72695998202.pdf
    • http://tangiahoang.vn/Images_upload/files/wixuwiluk.pdf
    • https://www.uniqueartzz.com/wp-content/plugins/super-forms/uploads/php/files/34a1kgntuu5lldhdiu5mvkei0t/sotovukib.pdf
    • http://www.gieskestukadoors.nl/ckfinder/files/files/15111819894.pdf
    • https://cicasoftavukatwebsitesi.demowebsiteleri.com/upload/files/85341814850.pdf
    • https://101doctor.com/uploads/ckfiles/files/613b7217d1aa5.pdf
    • http://oio.cn/uploadfiles/files/26029430897.pdf
    • https://tranthachcaodanang.com/uploads/image/files/81639380219.pdf
    • http://ilturismoinitalia.it/userfiles/files/pimotuvevijadewidi.pdf
    • https://www.frontierexim.com/wp-content/plugins/super-forms/uploads/php/files/u83b9nvnvab2bj5ltg8bha6ve2/dekojogobigoxepune.pdf
    • http://weldingplaza.com/files/file/17416173022.pdf
    • https://karapinler.com/calisma2/files/uploads/36600577763.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/FevRqgeaUVY/uplcv?utm_term=gangstar+vegas+apk+award
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ab6e.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAB6E 16792 bytes
font_01_sfnt_off0000c380.bin
20f0b3c92daad3b81603e0aaf0a46bd74fc2ad443f67ee8142cb6254ee61a11d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC380 15804 bytes
font_02_sfnt_off0000eba8.bin
037ddeb03f259beec33a73d45fe5c9eb6dbb3cff527bfdf0a630aaadcea45141		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBA8 10592 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.