Malicious PDF — malware analysis report

Static analysis result for SHA-256 db0f28575b223f54…

MALICIOUS

PDF

105.4 KB Created: 2021-07-15 15:00:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: b50a1406a1d7adc2927db88305f92900 SHA-1: 266f398bce7ca640196c78a35dce7fc61cc511c7 SHA-256: db0f28575b223f54ffa00946d24e3a116b4de644da23fd8c37c2d8aecf1e2a5f
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm pointing to multiple compromised WordPress sites, which in turn host other PDFs. This suggests a phishing or scam campaign designed to lure users to malicious content. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports this assessment.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4394

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.alfainstal.pl/wp-content/plugins/formcraft/file-upload/server/content/files/16094582a9bb0f---18492743948.pdf
    • https://t4g.nasscomfoundation.org/wp-content/plugins/super-forms/uploads/php/files/4dtdpjpp0peb9rt0rb1iu2qt13/82028447260.pdf
    • https://myupfield.link/wp-content/plugins/super-forms/uploads/php/files/m0f12ptcsps628i0te7h78arn7/memigatakabixidato.pdf
    • https://neavocats.com/wp-content/plugins/super-forms/uploads/php/files/80b89db48eb3d4db8f0a610b6e39b8db/jijotusetudukakibuf.pdf
    • https://aliencosmicexpo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608688318aeb2---vebewigitog.pdf
    • https://davaocarrental.com/images/file/wilapememumawode.pdf
    • http://sibleyestateplanning.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/difefofogoriwodutup.pdf
    • https://baodinhsolar.com/wp-content/plugins/super-forms/uploads/php/files/ep8ca1d89esf6k0fb6c7sha2op/39672309909.pdf
    • https://malashealthcare.com/userfiles/files/suliwanuvuvajiraful.pdf
    • http://shinies.ru/img/lib/file/fagodixetufivorijakuz.pdf
    • http://msamerica.net/clients/873634/File/85411047284.pdf
    • http://sieuthibds.net/images/files/87683451235.pdf
    • https://spaslask.pl/wp-content/plugins/super-forms/uploads/php/files/boilfbd8p9vanadvt1ujer6rsj/1515834685.pdf
    • https://sarujiovalente.com/wp-content/plugins/super-forms/uploads/php/files/3kolpi4329g1f0qgo3jjh90sa6/98235173621.pdf
    • http://reclaimsplus.com/wp-content/plugins/super-forms/uploads/php/files/97e7247d04e5bdb5d6c7c183ccba7801/xojerov.pdf
    • http://iamsoldierfit.com/wp-content/plugins/formcraft/file-upload/server/content/files/16083845db808a---fidumifipigowadegavesu.pdf
    • https://adbadog.com/wp-content/plugins/super-forms/uploads/php/files/65851d2c9c276b8e5b00effa9161ec67/bozajefowemosotojeb.pdf
    • http://www.jcca.co.in/wp-content/plugins/formcraft/file-upload/server/content/files/160b804519653a---92412202039.pdf
    • http://www.saraviation.com/wp-content/plugins/formcraft/file-upload/server/content/files/160741531bde7a---71042443353.pdf
    • http://ozari-ua.com/files/file/suvegogedodotus.pdf
    • http://clubselectionvoyages.com/images/file/nuzupijerasijivunerevekal.pdf
    • http://furkansigorta.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160bfddc15176c---wonagigevukozekopixe.pdf
    • https://www.dekleinewerf.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160b2d1f56b828---37630710798.pdf
    • http://pajurioverslas.lt/ckfinder/userfiles/files/bofupumuvatazaveterafew.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/DOqCt-cVA4I/uplcv?utm_term=engineering+physics+practical
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013ebd.bin
36629a3fb2d61a8ba5249d8389560edde9e03da12132d94d5f51384c13b87985		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13EBD 17464 bytes
font_01_sfnt_off00016c4a.bin
32b73131a319bccc8d81487ff14d3c5fa3f0e2b885c01f9de5060d0d46acf80b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16C4A 10632 bytes
font_02_sfnt_off00018492.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18492 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.