Malicious PDF — malware analysis report

Static analysis result for SHA-256 e0a35ff665ce3790…

MALICIOUS

PDF

116.6 KB Created: 2021-06-10 21:04:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-11
MD5: 4368b3f02065695d82bd52cba1c1cbcd SHA-1: c104db3d9e612809739a3a5c3ce896991fc446ed SHA-256: e0a35ff665ce37901c94bd99565c1b465e8a8d865279d4ef79dd34d2e5d7e6c3
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating it is likely a phishing or malware distribution lure. It functions as a link farm, containing numerous URLs that point to various websites, including those hosted on compromised CMS platforms. The presence of 'utm_term' parameters in some URLs suggests an attempt to track user engagement, further supporting a phishing or malicious redirection scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9040

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pixomot.ru/uplcv?utm_term=naruto+kurama+manga PDF link annotation
    • https://awlights.com/wp-content/plugins/super-forms/uploads/php/files/67a52cc15cc12e933e07d6e885211932/walegigip.pdfIn PDF document text
    • https://bringem.de/wp-content/plugins/super-forms/uploads/php/files/f455b344a755d83bbb67d1b18af241b7/23298742987.pdfIn PDF document text
    • https://www.straightmyteeth.com/wp-content/plugins/super-forms/uploads/php/files/2b492f79edfa054f30a1b4a6ffcf712d/revatid.pdfIn PDF document text
    • http://guides2alpes.fr/uploads/file/texulotoroze.pdfIn PDF document text
    • https://hijaulumut.com/contents//files/37825931059.pdfIn PDF document text
    • http://chicagohalo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160945104204f0---41267434391.pdfIn PDF document text
    • http://ambvet-trefontane.eu/userfiles/files/jurapafoburunasakuwo.pdfIn PDF document text
    • https://hightechrustremovers.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160719e90c9d5e---xadorajuvovafudizaxipewif.pdfIn PDF document text
    • http://gramercygrand.ru/files/file/feguxasutarodurixipepox.pdfIn PDF document text
    • http://caribsplash.org/wp-content/plugins/formcraft/file-upload/server/content/files/160b0fcf0e42b3---37694174916.pdfIn PDF document text
    • https://angelsforwarriors.org/userfiles/files/xilajizukorovewifirurunan.pdfIn PDF document text
    • https://alkhairi.co.uk/wp-content/plugins/super-forms/uploads/php/files/62a5c39b69e7dccc46337d6e7bcfa4e7/52508594731.pdfIn PDF document text
    • https://www.jahnigterbraak.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160a324d497707---92326710248.pdfIn PDF document text
    • http://frederickfollows.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160b3cb3fbd967---kelaruraturamatafulinel.pdfIn PDF document text
    • http://solarhomepage.ch/fckeditor/editor/images/file/22416567670.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001933d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1933D 7428 bytes
SHA-256: 8b2bec9f0afc142a010dde77a421136914455d3ac6d64f3b2bec5c096a27516d
font_01_sfnt_off0001ac88.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1AC88 4828 bytes
SHA-256: 5c317db0a79f758a4745b812ea4ded389bd87bfc0175b7e44318f956dffdf84a

Open this report in the interactive analyzer, or submit your own file for analysis.