Malicious PDF — malware analysis report

Static analysis result for SHA-256 d7dfaac84340c06c…

MALICIOUS

PDF

62.5 KB Created: 2021-09-20 04:36:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: 7e5b20cbc4eb7a75889cfe90f7530a49 SHA-1: eafd5ea574f035e7c762426f4780708d29e18d79 SHA-256: d7dfaac84340c06c546e9c60ef3e15b0b13d829961686ab4d272f9bf6a6c39fa
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains numerous embedded URLs that point to a variety of domains, many of which appear to be disposable or compromised. The heuristic firings indicate that this PDF is acting as a link farm, likely to distribute phishing content or malware. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7146

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://laborke.ru/uplcv?utm_term=how+to+remotely+control+a+computer+with+android+phone PDF link annotation
    • https://cliniquemyo.com/userfiles/file/12135012095.pdfIn PDF document text
    • http://www.gc-antey.ru/ckfinder/userfiles/files/1906610991.pdfIn PDF document text
    • https://qpshouse.com/upload/image/file/14179242249.pdfIn PDF document text
    • http://whipitleather.com/userfiles/file/dufenamonakuti.pdfIn PDF document text
    • https://xn--78-6kce7dfhb9dwb.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/0ed258bc1c3312efa8501169e8cc298d/tabobifobi.pdfIn PDF document text
    • http://abwfinlay.com/uploads/files/xosenu.pdfIn PDF document text
    • http://yanartextil.com/firma/files/zojadefalaluzenuvelasen.pdfIn PDF document text
    • https://www.mnogotrop.com/ckfinder/userfiles/files/75074247661.pdfIn PDF document text
    • https://culturasiapamplona.com/guiarte_userfiles/files/tononegajolefupoxelidin.pdfIn PDF document text
    • https://ncfouting.com/wp-content/plugins/formcraft/file-upload/server/content/files/161328234c6593---1166660485.pdfIn PDF document text
    • https://eklyps.net/images/file/kikalovedove.pdfIn PDF document text
    • https://alubiasdetolosa.com/files/galeria/files/rigupabegepuvazi.pdfIn PDF document text
    • http://rovitek.com/userfiles/file/3969111473.pdfIn PDF document text
    • http://naturestuff.nl/siteimages/file/jofem.pdfIn PDF document text
    • http://abbeloosschinkels.be/userfiles/file/fukakimiveko.pdfIn PDF document text
    • http://kamkmori.cz/ckfinder/userfiles/files/15102371165.pdfIn PDF document text
    • https://confeccionesruiz.cl/UserFiles/File/49871442162.pdfIn PDF document text
    • https://livredart.com/ckfinder/userfiles/files/suwelorovebimomijutepop.pdfIn PDF document text
    • http://alptw.com/images/files/81318433898.pdfIn PDF document text
    • http://rowerowaszkola.pl/imgturysta/files/34882883068.pdfIn PDF document text
    • https://jv-cms.crazy-jessie.nl/uploads/files/10301304574.pdfIn PDF document text
    • http://kietminhrivet.com/upload/files/20489742536.pdfIn PDF document text
    • https://www.harnoordesigns.com/wp-content/plugins/super-forms/uploads/php/files/d3cdfb86a91e66d5d07c8b000bf76e19/josixodifelijemidoxet.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dd13.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDD13 10900 bytes
SHA-256: 228fb523a18b72cd0d82e72c1eee44bd9d4e02a1504b140fe0c76334ee945eef

Open this report in the interactive analyzer, or submit your own file for analysis.