Malicious PDF — malware analysis report

Static analysis result for SHA-256 d8265c4b81d67c2a…

MALICIOUS

PDF

107.6 KB Created: 2021-08-17 21:44:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-31
MD5: 560a3df39dc7f12cd8c830bbfa942ced SHA-1: aa5022570e0134c02d412fabaa6fdfa985d2ce91 SHA-256: d8265c4b81d67c2a86214031d7a931f9407725ae5a81e1a15c4fe1245f96bba7
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains an embedded JavaScript stream and numerous external URIs, many of which point to compromised CMS uploads or disposable hosting. These links are structured as a link farm, likely intended to redirect users to malicious content or phishing pages. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7907

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://garglob.ru/uplcv?utm_term=euro+truck+simulator+2+best+dlc+2020 PDF link annotation
    • http://kovove-ploty-brany-zabradli.cz/UserFiles/File/10883498396.pdfIn PDF document text
    • http://musthighschool.mn/ckfinder/userfiles/files/98757966747.pdfIn PDF document text
    • http://ascensionchina.com/userfiles/file/4829490316.pdfIn PDF document text
    • http://amwordpress.org/wp-content/plugins/formcraft/file-upload/server/content/files/160c3ea049d4b5---71719559033.pdfIn PDF document text
    • http://carshopm.com/js/upload/files/geberizajoxapepojefelapid.pdfIn PDF document text
    • https://www.harnoordesigns.com/wp-content/plugins/super-forms/uploads/php/files/1ll16l4858hnhckm6gsbqmm991/32615998310.pdfIn PDF document text
    • http://fashioncenterpoint.com/wp-content/plugins/super-forms/uploads/php/files/310cd3fb214ba7d4795375313e266401/62226534397.pdfIn PDF document text
    • http://stefanourso.com/public/userfiles/file/90092676882.pdfIn PDF document text
    • http://ozari-ua.com/files/file/lunoxanadutipuxizugaraf.pdfIn PDF document text
    • https://jollytime.ru/wp-content/plugins/super-forms/uploads/php/files/d1967729d7fe8b7f719fb75f132fabea/rekibelakubazotet.pdfIn PDF document text
    • https://amenajarisiconstructii.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160845a81633db---37849284911.pdfIn PDF document text
    • https://www.masismarketing.com/wp-content/plugins/super-forms/uploads/php/files/e351c6f2cbf7fe426fb6d2438def6ec3/satokukebolurenobifexazu.pdfIn PDF document text
    • https://agilitynd.com/wp-content/plugins/super-forms/uploads/php/files/bfbc86b7844428ce7d143d893b04df70/55263611587.pdfIn PDF document text
    • https://www.allterra.group/wp-content/plugins/super-forms/uploads/php/files/e95832b8252bf63395830d7dd8238490/digewobitipus.pdfIn PDF document text
    • https://travelselection.us/wp-content/plugins/formcraft/file-upload/server/content/files/160714c2ea4243---vibubasilerosubero.pdfIn PDF document text
    • https://ladychief.com/wp-content/plugins/super-forms/uploads/php/files/08b7ce3902b1455edff1cc6570c9d75c/4867432989.pdfIn PDF document text
    • http://kientrucsangtrong.com/plus/files/verozovebuxi.pdfIn PDF document text
    • http://metalltechnik-kutschi.at/luvokamidubozakoluba.pdfIn PDF document text
    • https://alkirbilaw.com/userfiles/files/16823306789.pdfIn PDF document text
    • http://a-range.ru/wp-content/plugins/formcraft/file-upload/server/content/files/16084e4162f7d7---razizilujokifakopetig.pdfIn PDF document text
    • https://engravestone.com/wp-content/plugins/formcraft/file-upload/server/content/files/16078030b8845f---nesinexexu.pdfIn PDF document text
    • http://digemnd.com/UserFiles/file/40336762972.pdfIn PDF document text
    • http://solucionesinmobiliariasavg.com/ckfinder/userfiles/files/14809378654.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000178c2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x178C2 17944 bytes
SHA-256: 0816d9757c3740a03a0c88badc41930936d1bd432ae6b6ee5956143d1105da56