Malicious PDF — malware analysis report

Static analysis result for SHA-256 d9d8e33c2aa2b376…

MALICIOUS

PDF

71.2 KB Created: 2021-06-10 03:59:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-12
MD5: f51df9d110174f57efbaef1c1881283a SHA-1: 210aae0e8a42019e89a28c43b5469d2810a00c34 SHA-256: d9d8e33c2aa2b376288ab0e733af3e05c997cbbca1be987040dbd7145f7d3144
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document is classified as malicious and detected as a phishing trojan by ClamAV. It contains numerous links to compromised WordPress upload storage and disposable hosting, suggesting it is part of a link farm designed to distribute malware. The document body, though heavily obfuscated, contains keywords related to free PDF downloads, indicating a social engineering lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8855

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://drafthe.ru/uplcv?utm_term=amharic+bible+study+pdf+free+download PDF link annotation
    • http://wbbray.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606fa8de27f76---tutobutemememe.pdfIn PDF document text
    • http://anhuishangbiao.com/upload_fck/file/2021-4-29/20210429064732734464.pdfIn PDF document text
    • http://www.cheapmotorcycleinsurancepa.com/wp-content/plugins/super-forms/uploads/php/files/sm267mf147q3bpl5ep7utv83a4/42161336365.pdfIn PDF document text
    • http://www.playerclub.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1607da4f4cfef1---xugolaf.pdfIn PDF document text
    • http://erdivigado.hu/userkepek/file/mobolodesewetonenok.pdfIn PDF document text
    • https://www.dynasil.com/wp-content/plugins/super-forms/uploads/php/files/63fcbb720bc21f350fd87d9935432f76/dijatexijuzidujivorute.pdfIn PDF document text
    • http://famcareconnect.org/wp-content/plugins/formcraft/file-upload/server/content/files/16074277b46236---16361763537.pdfIn PDF document text
    • http://www.restorationservice.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1607fa06f33ec8---tofakopu.pdfIn PDF document text
    • https://mt-creativestudio.com/ckfinder/userfiles/files/70799685094.pdfIn PDF document text
    • https://proff-doors.ru/wp-content/plugins/super-forms/uploads/php/files/6284cf94779980b75744772e8034c676/nixerafimeduri.pdfIn PDF document text
    • https://cafepiolho.com/uploads/assets/78052373464.pdfIn PDF document text
    • https://event-connections.net/wp-content/plugins/formcraft/file-upload/server/content/files/1608afb3409651---71359406022.pdfIn PDF document text
    • http://maidnheaven.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608a5a4b55991---23653860506.pdfIn PDF document text
    • https://seataclightingalaska.com/wp-content/plugins/super-forms/uploads/php/files/cd7f3fdffde5231721c369857d3c6f93/jofewesixawiladunaja.pdfIn PDF document text
    • https://108pizza.pl/uploads/userfiles/files/8125105161.pdfIn PDF document text
    • https://ercrs.org/wp-content/plugins/super-forms/uploads/php/files/qsntjapjb49kl4lidupcph9evi/67335049373.pdfIn PDF document text
    • http://serendipityorlando.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609862cfe12de---kusasare.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e4f3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE4F3 15160 bytes
SHA-256: 3efa2e80b8f2ab8a786fbfcc491187b0f6b58a96c8e6c9faedbe4f077bf57723
font_01_sfnt_off00010e22.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10E22 5716 bytes
SHA-256: e864e7b261f28f60276a5b8229f551bf34c59ed3c8cc42991a30bb23536b734b