Malicious PDF — malware analysis report

Static analysis result for SHA-256 d5f8546e1fc4bc18…

MALICIOUS

PDF

78.8 KB Created: 2021-07-03 10:57:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-05
MD5: 2ed2c87c8fd42a80be4068f301a9a0e5 SHA-1: 7d2c8f18f9fd535f01deb06a02aead21a2f4f03e SHA-256: d5f8546e1fc4bc1853b7ddf74fa78ef41fc6f6514cf21df259960190f514ec68
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links pointing to external websites, many of which are hosted on compromised CMS uploads or disposable domains, indicating a link farm designed to distribute malicious content or phish users. ClamAV detection as 'Pdf.Phishing.Trojan' further supports its malicious nature. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7560

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cdmatik.com/uploads/file/51242433699.pdf In PDF document text
    • http://terralindahigh1981.com/clients/866868/File/litovutunevolufowesuji.pdfIn PDF document text
    • http://www.adanakursmerkezi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d213d6e22d5---7048108367.pdfIn PDF document text
    • http://plusbateria.com/wp-content/plugins/formcraft/file-upload/server/content/files/160951b8dd9792---31145920455.pdfIn PDF document text
    • http://www.onekaddy.com/wp-content/plugins/formcraft/file-upload/server/content/files/160da649e6cbc4---xonulazumamelapolugetifo.pdfIn PDF document text
    • https://0900107678.com/upload/file/mezavajibape.pdfIn PDF document text
    • http://udmvdpo.ru/images/files/53130269780.pdfIn PDF document text
    • https://www.sacproblemleri.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d33bac55a61---namibasuwufobisezoropato.pdfIn PDF document text
    • https://alcc.vn/wp-content/plugins/super-forms/uploads/php/files/19djq40qet6k00hdsoj292bnjs/jerejipodubiwo.pdfIn PDF document text
    • http://keralabiblesociety.com/fck_uploads/file/sebujixakuxugubisilixabe.pdfIn PDF document text
    • https://www.aserspa.net/wp-content/plugins/super-forms/uploads/php/files/60lpc4gsqk1fq0nuaa5215bhc6/wubuxexoxemevelato.pdfIn PDF document text
    • http://yuseigachi.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16074112838d7f---26953278406.pdfIn PDF document text
    • http://coxfamilyreunions.com/clients/5/56/566bc9ad745482f371977770c3e6b383/File/litinikazapoxi.pdfIn PDF document text
    • http://bean2beenefamilytree.com/clients/60578/File/nopumobarukip.pdfIn PDF document text
    • https://studiorampinelli.com/file/nabokivujam.pdfIn PDF document text
    • http://refta-bg.com/userfiles/file/44827851576.pdfIn PDF document text
    • https://ringid.vn/ckfinder/userfiles/files/lunamaxivefufubiwabupe.pdfIn PDF document text
    • https://www.tai.gr/wp-content/plugins/formcraft/file-upload/server/content/files/1607b4fa505e09---sigunagewejobos.pdfIn PDF document text
    • https://jamiatulbanat.in/wp-content/plugins/formcraft/file-upload/server/content/files/160b29d1961d31---wiruxovarejumesosu.pdfIn PDF document text
    • http://anthonyellisonfamilyreunion.com/clients/f/ff/ff850d76676c1858bf5e443b7a907d3b/File/fezadiwelafetinuzirewaj.pdfIn PDF document text
    • https://phase1acoustics.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607270b6d57de---tulom.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/FevRqgeaUVY/uplcv?utm_term=best+armored+vehiclesPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000101eb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x101EB 17300 bytes
SHA-256: 52d8636854c2f0a0c0e07c84c1e1b84affc68d75a1b7cda59954655c0ad0794c