Malicious PDF — malware analysis report

Static analysis result for SHA-256 d6872dbca096e4f7…

MALICIOUS

PDF

53.9 KB Created: 2021-09-26 07:36:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-21
MD5: 56199a280e390da1acdc4197d8578223 SHA-1: 6d53f9f2b7f8fe4460e4a0a7f00b0f900bd7a7bf SHA-256: d6872dbca096e4f79523f6922cecb8c614b6a0451c6990ee3713b075b47e5ab3
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or malware distribution attempt. It contains numerous links to external websites, many of which are hosted on compromised or disposable domains, suggesting a link farm designed to redirect users to malicious content. The presence of 'utm_term' parameters in some URLs further supports a campaign-like distribution strategy.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6420

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nomylo.ru/uplcv?utm_term=genki+second+edition+textbook+pdf PDF link annotation
    • http://euskararenginkana.eus/files/galeria/files/85927548441.pdfIn PDF document text
    • http://kaitosushisb.com/uploads/files/93183157653.pdfIn PDF document text
    • http://jrecchina.com/ckeditor/ckfinder/userfiles/files/21732174797.pdfIn PDF document text
    • http://influences-vegetales.eu/assets/Image/files/94120781087.pdfIn PDF document text
    • http://mayepnuocmia.vn/data/ckfinder/files/46015116631.pdfIn PDF document text
    • http://mirembeestate.co.ug/wp-content/plugins/formcraft/file-upload/server/content/files/16146c6159fdfb---rebovezuvunigose.pdfIn PDF document text
    • http://skncn.com/u/files/67158663128.pdfIn PDF document text
    • http://mijneigenlift.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1614d177db08c5---wevupuloborepiwonitip.pdfIn PDF document text
    • http://ilovestory.com/upload/file/37809452065.pdfIn PDF document text
    • http://kimhoatra.com/upload/fckimagesfile/buvatiz.pdfIn PDF document text
    • https://ichibaninfotech.com/ckfinder/userfiles/files/77956613264.pdfIn PDF document text
    • http://hublihorse.com/uploads/userfiles/files/6029398584.pdfIn PDF document text
    • https://sanaspinler.com/calisma2/files/uploads/62830277675.pdfIn PDF document text
    • https://heritagecambodiatravel.com/userfiles/file/sipubiwigisibu.pdfIn PDF document text
    • https://broadcasthub.com/ci/userfiles/files/4779419585.pdfIn PDF document text
    • http://vakaruinzinerija.lt/userfiles/file/firuze.pdfIn PDF document text
    • http://dija.lv/public/userfiles/file/revinavuriwu.pdfIn PDF document text
    • http://www.kinoimaging.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1613358d5e1265---wunuriruvebexewizaridal.pdfIn PDF document text
    • https://shibbirs.com/media/files/xudototuwizasaxo.pdfIn PDF document text
    • http://ilsogno-bomboniere.com/userfiles/files/99815474533.pdfIn PDF document text
    • http://yigang-lin.com/uploads/files/202109170514409320.pdfIn PDF document text
    • http://boldogelet.hu/media/18428211838.pdfIn PDF document text
    • http://czernavendeghaz.hu/admin1/file/65094143573.pdfIn PDF document text
    • https://aordonez.com/images/contenidos/files/13358347260.pdfIn PDF document text
    • http://ganan10.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/1613a407f9c57a---zugumenatakipemekuli.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b2cd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB2CD 16380 bytes
SHA-256: 7bf8d29fe99b9f7f205caf44ddb7a71aae7d1fbfbf9cddf685beb97606d3e7aa