Malicious PDF — malware analysis report

Static analysis result for SHA-256 e163147059a7d0ae…

MALICIOUS

PDF

61.2 KB Created: 2021-05-14 19:34:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b6d04de2f9bf9f1767de1db0250860bf SHA-1: c2d3c575b2ba19ca331436fd373343bf023df3ce SHA-256: e163147059a7d0aecab9de438b4b7621e769678d8b9d059b83efd02773e36a6e
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics as malicious, including a ML classifier and ClamAV, which identified it as a phishing trojan. The file contains a link farm pointing to compromised WordPress upload directories, suggesting an attempt to distribute further malware. The embedded content, though heavily obfuscated, likely serves as a lure to encourage users to click on these malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8151

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://drafthe.ru/uplcv?utm_term=hero+mariah+carey+piano+sheet+music
    • http://indiebookoftheday.com/wp-content/plugins/formcraft/file-upload/server/content/files/16089d380e6e48---zufifowi.pdf
    • https://artsketch.ru/wp-content/plugins/super-forms/uploads/php/files/bfe8a8492dd0a2631df10d964e6acd67/redosiratotapeso.pdf
    • http://www.dadosefatos.net.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607de05f40765---76766099849.pdf
    • https://andrejc.si/files/file/xoxokajawan.pdf
    • https://sweetestspaparty.com/wp-content/plugins/formcraft/file-upload/server/content/files/160724c8702194---15421822193.pdf
    • http://www.restorationservice.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1609896d9deeda---rarezeriwaj.pdf
    • https://www.darrellstuckey.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609b5180644c6---rugaku.pdf
    • https://amalighting.com/wp-content/plugins/super-forms/uploads/php/files/5e8d5dcd75b42797ba44410f8143496f/janipanesusuzawibelofu.pdf
    • http://www.risingstars.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1607dfddea7e44---65007990787.pdf
    • https://sidexsideaudio.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606cadb8a4c7d---jurexujokelufirodosavu.pdf
    • https://nuregio.de/wp-content/plugins/formcraft/file-upload/server/content/files/1609caa9f3e431---xitupidutugebu.pdf
    • https://retentionstudentexperience.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607ac255ae75d---kerasanamasedirobakazof.pdf
    • http://www.linkkorea.co.kr/wp-content/plugins/formcraft/file-upload/server/content/files/1609cf0d15d71d---bosuxusujuxone.pdf
    • https://wilsonbarrera.com/inicio/wp-content/plugins/formcraft/file-upload/server/content/files/160755e1332337---badibix.pdf
    • http://ptk-astana.kz/wp-content/plugins/super-forms/uploads/php/files/cb828e6789df6f325a4627f2596c1a7d/80214813768.pdf
    • https://robotics-institute.com/wp-content/plugins/super-forms/uploads/php/files/jo3n3jpkmt0a0he4ogkhqhrsbk/34613385137.pdf
    • https://aldea.work/wp-content/plugins/super-forms/uploads/php/files/9f2c9b60cfa975ae8d0f1525a37ac216/rijobejom.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d722.bin
c28237d99e95d2113b30b362377ecd2c9d7c64322ad56f852c13d58cfd6a5af2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD722 5204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.