Malicious PDF — malware analysis report

Static analysis result for SHA-256 e18fe71a5a558863…

MALICIOUS

PDF

62.3 KB Created: 2021-10-01 10:10:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-25
MD5: e60a537e28d29ae2fe4bcb94659743f5 SHA-1: 77f4006a3bfa279dda778ad53b498011ce1857c2 SHA-256: e18fe71a5a558863bad9706886ac29556ab47a295b2ea341b4e6275b7e323da8
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains numerous embedded URLs, many of which point to compromised WordPress sites or disposable hosting, indicating a link farm designed to redirect users. The ClamAV detection as 'Pdf.Phishing.Trojan' strongly suggests a phishing or malware distribution intent. Although no scripts were explicitly extracted, the nature of the embedded URLs and the heuristic firings point towards a malicious document, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4569

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crewmak.ru/uplcv?utm_term=appstore+for+android+tv PDF link annotation
    • https://acryl-bg.com/userfiles/file/bumojadujorabupokuno.pdfIn PDF document text
    • http://icareonline.net.au/ckfinder/icare/files/10272734044.pdfIn PDF document text
    • https://gotoko.com/cmsv2/upload/files/nikivajazigagu.pdfIn PDF document text
    • http://quickfix-poland.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613f5006695f1---vikejakigizedavi.pdfIn PDF document text
    • http://automotiveenergy.cz/userfiles/file/51796239248.pdfIn PDF document text
    • https://ladida.asia/sporlegen/administrator/imagetempfile/12745346868.pdfIn PDF document text
    • https://12shio1.com/contents/files/64907441074.pdfIn PDF document text
    • http://balone.net/_upload/file///57592817896.pdfIn PDF document text
    • https://lotteppta.net/beta/assets/file/40038199241.pdfIn PDF document text
    • http://alnadaoil.com/userfiles/file/bogipipoxevadumilin.pdfIn PDF document text
    • http://ohana1bbq.com/uploads/files/29427608994.pdfIn PDF document text
    • http://nakajima-ya.com/user_data/image/file/lidutipolexijovuki.pdfIn PDF document text
    • http://samtekelektrik.com/files/voxululevuborajukax.pdfIn PDF document text
    • https://betsin.org/userfiles/files/raxov.pdfIn PDF document text
    • http://kadh.kr/bobod/upload/file/gijupedoduwuda.pdfIn PDF document text
    • https://limberhurstgallery.com/imageuploads/file/41631648507.pdfIn PDF document text
    • https://kaskad-74.ru/images/uploads/26682212298.pdfIn PDF document text
    • http://antik-cafe-bergen.de/wp-content/plugins/formcraft/file-upload/server/content/files/16135835222be3---14104173092.pdfIn PDF document text
    • http://sloplast.com/userfiles/files/72548259956.pdfIn PDF document text
    • http://keifo.ru/ckfinder/userfiles/files/lomesirarakom.pdfIn PDF document text
    • http://cargo3030.ru/wp-content/plugins/formcraft/file-upload/server/content/files/16145d4ea1ba10---tusujemolafesepokisosobi.pdfIn PDF document text
    • http://citranco.com/users/files/gelutegifogatelezunuladil.pdfIn PDF document text
    • https://www.mediawerf.nl/bundles/store24backoffice/ckfinder/userfiles/files/lerifupopipugunusadeputif.pdfIn PDF document text
    • http://car-zone.sk/data/data/file/99851582713.pdfIn PDF document text
    • http://secretinvitation.net/images/files/57580540015.pdfIn PDF document text
    • http://louisiana-arts.org.s150269.gridserver.com/siteuploads/editorimg/file/xugomusowimurilegalupo.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b32f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB32F 17480 bytes
SHA-256: 74340699674433da93233773f5152417b17b45f9c5eef0c33ce4af0503fc1a8f
font_01_sfnt_off0000e00b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE00B 10492 bytes
SHA-256: 6cf4af09e5405cc5b665282492325c6ce791f906bafc057ca76a0cf985f06d3e