Malicious PDF — malware analysis report

Static analysis result for SHA-256 d690c184e1fcf242…

MALICIOUS

PDF

80.4 KB Created: 2021-07-06 19:47:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 2ee923be008517fc17acaaf073b0d681 SHA-1: 29d617bfd102c1c1255d99f28552a1ed3602cf0b SHA-256: d690c184e1fcf24269ffcb0e384192082f100d1ab1893c42a75440cca43ce60e
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous embedded URLs, many pointing to compromised WordPress sites, suggesting a link farm used for phishing or malware distribution. The presence of PDF-specific heuristics like PDF_URI and PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM further supports this. Although no scripts were explicitly extracted, the nature of the embedded URLs and the detection as a 'Phishing.Trojan' strongly suggest the PDF is designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6111

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crewmak.ru/uplcv?utm_term=meaning+of+legalisation
    • https://www.elitelawnsolutions.co.uk/wp-content/plugins/super-forms/uploads/php/files/e953gjoubu3hikulvpb60nmaas/50702317611.pdf
    • https://www.hamburgeriaagricola.com/wp-content/plugins/super-forms/uploads/php/files/fea2p5fad66u9pjrp60aevbnkg/23133796824.pdf
    • http://sad-azov.ru/wp-content/plugins/super-forms/uploads/php/files/f8adf47edfbf651008b53208a7a0e515/78199815184.pdf
    • http://ofipapel.org//ckfinder/userfiles/files/64971175024.pdf
    • https://osikovo.eu/webroot/img/content/files/66148869572.pdf
    • http://5m-tti.com/uploads/image/files/kewufejetu.pdf
    • http://wagnerpc.com/userfiles/files/xugajiwunuxil.pdf
    • https://alfa-pechati.ru/wp-content/plugins/super-forms/uploads/php/files/fb07846b2aa61ca6d7a3c7e2d045770a/86475349300.pdf
    • http://jockmurray.com/wp-content/plugins/formcraft/file-upload/server/content/files/160799f2f3750f---kajiz.pdf
    • http://technocom.pl/editor/file/mifuxozenuse.pdf
    • https://yourlightingbrand.com/wp-content/plugins/super-forms/uploads/php/files/f24ca8d5e406405cf34beee8f5b2b8dd/31507611700.pdf
    • http://akbmodel.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609439316c73a---jeduzexo.pdf
    • http://chothuethietbi.info/img/files/nonudobarivujene.pdf
    • https://christembassyromford.org/wp-content/plugins/super-forms/uploads/php/files/42993f4c8e443e2ac467e8b3763ffffc/sifolavexabusud.pdf
    • https://ecoinkworld.com/wp-content/plugins/super-forms/uploads/php/files/e9e2824082adc884d708213a1b6b12fe/lalubojopezi.pdf
    • http://104.156.58.56/~web2inbox/wp-content/plugins/formcraft/file-upload/server/content/files/1608a158d77fd7---55161740058.pdf
    • http://batiment-tunisie.com/userfiles/file/xakupuxovikawozobupikomu.pdf
    • https://francois-daulte.com/ckfinder/userfiles/files/22487839250.pdf
    • http://www.ferm-matic.fr/upload/file/90584029741.pdf
    • https://condominiovillage.com/userfiles/file/40152562035.pdf
    • https://baconbites.com/wp-content/plugins/super-forms/uploads/php/files/026ls1o1pbeh2ur3ootmdg85f6/kasewuxomimerafulagene.pdf
    • http://modelkyujin.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b6a12851e13---29540150743.pdf
    • https://maydongy.com/wp-content/plugins/super-forms/uploads/php/files/6pu59aa8bp7n171epbq8j0jlbc/punod.pdf
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001157b.bin
ed0c51ff80b8ee72d92d4a2ac7b92d5035f1193ccb210a2d8afc429efa0ed080		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1157B 16964 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.