Malicious PDF — malware analysis report

Static analysis result for SHA-256 dbe653c9591fb3b1…

MALICIOUS

PDF

80.0 KB Created: 2021-06-09 01:10:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-17
MD5: fcd90c16966aa3ee6dda0338029540b8 SHA-1: f718841d584d526273bf9225690f6b86fca2f8a1 SHA-256: dbe653c9591fb3b1abd3a4869c1d56718c39ad93e01ecdb61b8e8714799818ab
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link farm with numerous URLs pointing to various domains, many of which appear to be compromised WordPress sites. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' and the presence of multiple distinct hosts suggest a deliberate effort to create a network of redirectors. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8126

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cructi.ru/uplcv?utm_term=winter+sonata+richard+clayderman+piano+sheet+pdf PDF link annotation
    • http://forter.vn/hinhanh/file/ribupozupopowomepo.pdfIn PDF document text
    • https://lightspec.com/wp-content/plugins/super-forms/uploads/php/files/e5181c7229a268e02137cd1e0775f755/wutinufavemusinukapub.pdfIn PDF document text
    • https://flycam.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160bb6c5073933---86324423910.pdfIn PDF document text
    • https://unique.global/wp-content/plugins/super-forms/uploads/php/files/33cc2cfe444f0d33c60102614e561572/tumaxivir.pdfIn PDF document text
    • https://nazragame.com/calisma2/files/uploads/sewogofujegizumabazata.pdfIn PDF document text
    • http://nowyhotelik.pl/userfiles/file/bejonak.pdfIn PDF document text
    • http://hattrick-sports.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607951e5bb4a6---65707687584.pdfIn PDF document text
    • https://www.northamericatalk.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d924a5b0e5---16721064805.pdfIn PDF document text
    • https://promocionesnma.com/wp-content/plugins/super-forms/uploads/php/files/8f8d499a98e90bc5815e6459d858d44f/19344285319.pdfIn PDF document text
    • https://www.sudburyhighspeedinternet.ca/wp-content/plugins/super-forms/uploads/php/files/c59a0a3e7f9177907d44db3648b8d43c/15184820511.pdfIn PDF document text
    • https://cal.lighting/wp-content/plugins/super-forms/uploads/php/files/73853fbc90fe2c5eb909f3535cd528ac/46193619965.pdfIn PDF document text
    • http://lushexperiences.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607ef1cf47d6a---26905729897.pdfIn PDF document text
    • https://alkhairi.co.uk/wp-content/plugins/super-forms/uploads/php/files/95ff1d2d476f0d52a015403fb8493c54/lisurudemesinigitoxeganog.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010cb3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10CB3 5508 bytes
SHA-256: 4f5a4ff4c5b866baa88ef7b450ccc04ef0e83c9c4b68d17d970bb6bdffb8c431