Malicious PDF — malware analysis report

Static analysis result for SHA-256 dd35b060c8b67017…

MALICIOUS

PDF

93.7 KB Created: 2021-09-17 22:03:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-16
MD5: 9f3bf97cf903b69091e9b2a0c2ee428d SHA-1: bf4f68a3bbb4470d0279bce26cbb39bd38235caa SHA-256: dd35b060c8b670170782306e702eb926e14d34b2b7b4cb403bce088452a5a377
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file was detected as a PDF phishing trojan by ClamAV. Static analysis revealed it functions as a link farm, containing numerous URLs pointing to potentially compromised websites or disposable hosting. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates a deliberate attempt to obscure the malicious nature of the links by distributing them across many hosts and using UTM parameters.

Machine Learning

  • Nyx PDF Classifier clean score 0.2156

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://drafthe.ru/uplcv?utm_term=black+butler+episode+24+english+dubbed PDF link annotation
    • http://alotercuman.com/ckfinder/userfiles/files/rorebeviwem.pdfIn PDF document text
    • https://beautifullifeuk.com/wp-content/plugins/super-forms/uploads/php/files/acc2b44e14a6648f101dbff34244934d/77576786499.pdfIn PDF document text
    • https://www.pelicanfinancialnetwork.com/ckfinder/userfiles/files/17635218730.pdfIn PDF document text
    • http://vandientuchinhhang.com/upload/files/50561304789.pdfIn PDF document text
    • http://e-restauracion.com/app/webroot/files/uploads/files/34665790438.pdfIn PDF document text
    • https://meganimal.pt/site/upload/file/degezibelukopadojijuv.pdfIn PDF document text
    • http://pwmtqatar.net/userfiles/file/34615572906.pdfIn PDF document text
    • http://healingtown.org/userData/board/file/somojozejibatitup.pdfIn PDF document text
    • https://vdbergelectro.nl/wp-content/plugins/super-forms/uploads/php/files/468f66bb498b8c78bb9f61666bcb8803/lemavajajo.pdfIn PDF document text
    • https://seroinstitute.com/wp-content/plugins/super-forms/uploads/php/files/61716ce2d2dab14619d9a9157c91e354/77683339640.pdfIn PDF document text
    • http://countryclaim.cz/userfiles/file/71887510347.pdfIn PDF document text
    • http://teplo76.ru/uploads/file/322838524.pdfIn PDF document text
    • https://korovin.org/site/img_ufiles/bumugejunabomefe.pdfIn PDF document text
    • http://am-assets.com/aom/magnolia/userfiles/file/ruwufusizutanorigon.pdfIn PDF document text
    • http://sosonomo.com/ckfinder/userfiles/files/mukivugesutarowin.pdfIn PDF document text
    • https://atlantidegattico.it/file/gurumuminulidonexajar.pdfIn PDF document text
    • https://smshealthcareservices.com/ckfinder/userfiles/files/72298810000.pdfIn PDF document text
    • http://www.rify.us/cms-uploads/files/8810744219.pdfIn PDF document text
    • https://supermagnum-bg.com/ckfinder/userfiles/files/juroxudawi.pdfIn PDF document text
    • http://salamatekhanevadeh.ir/ckeditor/files/files/41959957068.pdfIn PDF document text
    • http://euromarkcreations.com/new/fck_img/file/kifafojexazo.pdfIn PDF document text
    • http://1yunnan.com/ckfinder/userfiles/files/54190594529.pdfIn PDF document text
    • https://ldcpc.com/ckfinder/userfiles/files/sepunowanunigajadiva.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000118a0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x118A0 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off000130b2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x130B2 21052 bytes
SHA-256: 71c147eccf9096e7da733026b88c9e67d415bfedf5f513add0d7a037ac0b627f

Open this report in the interactive analyzer, or submit your own file for analysis.