Malicious PDF — malware analysis report

Static analysis result for SHA-256 d8c716a97e95e01b…

MALICIOUS

PDF

74.5 KB Created: 2021-06-03 18:19:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-20
MD5: 76b82082604e3ba8115439e4e7fa1e09 SHA-1: 8484d19b94882fbd367edc54429adfde76c28563 SHA-256: d8c716a97e95e01b54172166f7aa6d09d3018ce4a7f4a7b888bed6cde210de87
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous links to external websites, many of which are hosted on compromised CMS uploads or disposable hosting, suggesting a link farm designed to distribute malware. The document body, though heavily obfuscated, appears to be a lure related to song lyrics, likely to trick users into visiting these malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8745

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.cdscabling.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1609212d013eb9---xufux.pdf In PDF document text
    • https://ebooksweb.net/files/file/97112855646.pdfIn PDF document text
    • https://www.sehersirin.com/wp-content/plugins/formcraft/file-upload/server/content/files/16074db877d053---77599749234.pdfIn PDF document text
    • http://bostonmentors.com/userfiles/file/10588021590.pdfIn PDF document text
    • http://www.musicmaestrodiscos.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1609829f6981a1---luzujunomamunulavat.pdfIn PDF document text
    • https://adiwirawanbali.com/wp-content/plugins/super-forms/uploads/php/files/2da054d78197f6fa70b6c483778f20f3/25263343758.pdfIn PDF document text
    • https://www.sabiamente.es/wp-content/plugins/formcraft/file-upload/server/content/files/16097018e8d4b8---xufema.pdfIn PDF document text
    • http://bamt.be/wp-content/plugins/formcraft/file-upload/server/content/files/1608b703853cef---fodabaregoror.pdfIn PDF document text
    • https://nhachoxebus.com/upload/fck/file/74374605538.pdfIn PDF document text
    • http://www.kissdocs.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16090bde2cbcaa---zojonubanunomozusuxo.pdfIn PDF document text
    • http://kraljicabih.com/wp-content/plugins/formcraft/file-upload/server/content/files/16083fde565f93---1468418511.pdfIn PDF document text
    • https://bouveau-consulting.com/userfiles/file/sirokujitiwowuduzonofoxiv.pdfIn PDF document text
    • http://photographybynami.com/wp-content/plugins/formcraft/file-upload/server/content/files/16094d5ad0c227---9262483884.pdfIn PDF document text
    • http://www.birapart.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a3d74b24b9f---81945173.pdfIn PDF document text
    • https://mebelpozakazu.ru/wp-content/plugins/super-forms/uploads/php/files/6960d918236a4691d04a932907473ec6/19589671517.pdfIn PDF document text
    • https://mobistore.co.nz/wp-content/plugins/super-forms/uploads/php/files/d19eb52cac9879e7e57587c959195d8e/lijizenofisedomuve.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/LPIa9PGmDLg/uplcv?utm_term=rodrigo+amarante+tuyo+translation+lyricsPDF link annotation
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000da01.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDA01 5252 bytes
SHA-256: 2120d69618d19c4eb7961219a69019b6cf7974c9fa8a1172b56f07c5c608d961
font_01_sfnt_off0000ebc5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEBC5 12796 bytes
SHA-256: fdcc25cb09c9a4608be87a9fd029c3eaa2e6c277be3c2d244d300261aab4ed1d
font_02_sfnt_off000112cd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x112CD 16204 bytes
SHA-256: 541fa2b6826b0add99b7d5a173ef1e6a5567607b5192f75b810eb17d6a563501

Open this report in the interactive analyzer, or submit your own file for analysis.