Malicious PDF — malware analysis report

Static analysis result for SHA-256 d670a81622ad7d8c…

MALICIOUS

PDF

127.6 KB Created: 2021-10-05 22:01:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-25
MD5: 522ece8410f8b58a9625f040c0119bff SHA-1: d52b0c68f015e42a3e010a40906d1a1236d4e9fe SHA-256: d670a81622ad7d8ccd83adee14c3a29af69eb8564d91c958a3456e189ae379f3
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded URLs, many of which point to compromised websites or disposable hosting, indicative of a link farm used for phishing or malware distribution. ClamAV detection further confirms its malicious nature. The primary function appears to be directing users to external, potentially malicious, content.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3747

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fitness-sport.it/userfiles/file/17935829538.pdf In PDF document text
    • http://telek-trans.hu/editor_up/89239717107.pdfIn PDF document text
    • https://bcbc3399.com/upload/files/77650543000.pdfIn PDF document text
    • https://fermuar.com/wp-content/plugins/formcraft/file-upload/server/content/files/161508d18cbe76---vebupipi.pdfIn PDF document text
    • http://faurerom.com/userfiles/file/sikujewilezi.pdfIn PDF document text
    • https://lienlacanien.com/img_pages/file/xalodawikovisimuzevotem.pdfIn PDF document text
    • http://princeverma.in/uploads/files/wobetameforirusobamupuve.pdfIn PDF document text
    • https://myphi.biz/nbloom/fckuploads/file/8006571127.pdfIn PDF document text
    • https://menokatea.com/ckfinder/userfiles/files/83156240792.pdfIn PDF document text
    • https://penzionradvanice.cz/res/file/nebudulujisi.pdfIn PDF document text
    • http://zjhywt.com/images/upload/File/19981185213.pdfIn PDF document text
    • https://webgirls-studio.com/wp-content/plugins/formcraft/file-upload/server/content/files/161494ca20ebcd---fuvoso.pdfIn PDF document text
    • https://pasationtravellers.com/root/FCKeditor/file/34921355412.pdfIn PDF document text
    • https://tfnd.org/wp-content/plugins/super-forms/uploads/php/files/be124439de5205f54592d9bb3ef68d09/72655913623.pdfIn PDF document text
    • http://nemochem.cn/upload/files/pununiwok.pdfIn PDF document text
    • http://metabolizmusonline.hu/images/upload/file/26418338754.pdfIn PDF document text
    • http://jiendurancecoaching.com/ckfinder/userfiles/files/pixaboxokugasemebeniv.pdfIn PDF document text
    • http://donauwell.at/userfiles/file/79189562839.pdfIn PDF document text
    • https://daotaolaixesontay.com/uploads/file/31218833987.pdfIn PDF document text
    • https://network-italia.it/file/wuvejitovajime.pdfIn PDF document text
    • http://gamjagolla.com/uploads/files/pifulowi.pdfIn PDF document text
    • http://aviteksural.ru/admin/ckfinder/userfiles/files/70385575622.pdfIn PDF document text
    • http://modern-pro.ru/files/file/40805568742.pdfIn PDF document text
    • http://n2nnetworks.com/files/others/71399217510.pdfIn PDF document text
    • https://avenirpourtous.fr/wp-content/plugins/formcraft/file-upload/server/content/files/16157472248313---joxosilanemez.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/PmAiG5ZyT-k/uplcv?utm_term=distance+from+san+diego+to+escondidoPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001a6a7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A6A7 10776 bytes
SHA-256: 2e345a2a26ebc234762c3177f80d9faa7b4b80cf8b68f88427a081ff1099072e
font_01_sfnt_off0001bf41.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1BF41 23168 bytes
SHA-256: 58634c1f015981d377b8486be3c4415199fcff44e85de1107f4ed0c421aedd62