Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc0cfb81bb6554bb…

MALICIOUS

PDF

71.4 KB Created: 2021-05-17 15:32:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 63839b8e89ea7d625a730f486e912f4c SHA-1: 3b209534f321ef6b73bce3abe78da288d38cc782 SHA-256: dc0cfb81bb6554bb7b9c6a52e4c65fde59066085424e567107a86aaa4ee374c8
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains numerous links pointing to compromised WordPress sites, suggesting a link farm used for SEO poisoning to lure victims with search terms like 'Sony bravia lcd tv service manual pdf'. Heuristics indicate the PDF itself is a malicious payload, likely intended to be downloaded and executed by the user. The ClamAV detection and ML classifier strongly support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8179

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://inwebjor.ru/uplcv?utm_term=sony+bravia+lcd+tv+service+manual+pdf
    • http://kirks-pool.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f3b9d0faa2---87750252045.pdf
    • http://tavernadelsnoguers.com/wp-content/plugins/super-forms/uploads/php/files/4d5a5cb8978df79dc1c74bcc3e0ffc0a/weluz.pdf
    • https://brunoamaranti.it/wp-content/plugins/super-forms/uploads/php/files/i9m6pnlmhkk98affaol2djd5n0/53547425058.pdf
    • https://seataclighting.com/wp-content/plugins/super-forms/uploads/php/files/1ae483c84202fe76c404bbcf24bf57f5/zejuvumek.pdf
    • http://www.britocunhaadvocacia.com.br/home/wp-content/plugins/formcraft/file-upload/server/content/files/1608664025b761---jiresojeg.pdf
    • http://ovartec.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a08da1f0e69---27713507036.pdf
    • https://www.tifdip.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b0aa7e6fda---tesupelolosi.pdf
    • http://79.170.40.182/boothtastic.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c53f2b0f84---zamoja.pdf
    • http://digemnd.com/UserFiles/file/nafomem.pdf
    • http://optimus.org.au/wp-content/plugins/formcraft/file-upload/server/content/files/1608bc81735349---muropusujeperuwoverovuz.pdf
    • https://dfa-finanz.de/wp-content/plugins/formcraft/file-upload/server/content/files/1608c5b4ed91f3---rixefev.pdf
    • http://www.fliesen-brill.de/wp-content/plugins/formcraft/file-upload/server/content/files/160838eb386f2e---godajidafitesupiji.pdf
    • https://drahmetbostanci.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609623c7740d9---vosasisa.pdf
    • https://best-turbos.com/wp-content/plugins/super-forms/uploads/php/files/a69808cbc36cdbc0952713af716dc879/46127425738.pdf
    • https://ecoinkworld.com/wp-content/plugins/super-forms/uploads/php/files/02120cc8a8104e5c463dc332603712a6/rogod.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000101e1.bin
8be51493124963ff6007fa2bd48e7ba5cab4752a06947c0208438d75de6a5007		 pdf-font-stream PDF embedded font (sfnt) at offset 0x101E1 5708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.