Malicious PDF — malware analysis report

Static analysis result for SHA-256 e3a639ed6b477091…

MALICIOUS

PDF

85.6 KB Created: 2021-06-15 14:00:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-17
MD5: 1fd9fe536358ef6621c29770f64366d3 SHA-1: b7d80f2b33e6bce4a8e9a173d572a18b0fa32437 SHA-256: e3a639ed6b477091078894df934b00b479db1998ec1e5bcd43d6a6c3fa7d2b54
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document is classified as malicious by ML models and ClamAV, indicating it is likely a phishing or trojan delivery mechanism. It contains numerous links to external sites, many hosted on compromised WordPress installations or disposable domains, suggesting a link farm designed to redirect users to malicious content. The document body, though heavily obfuscated, appears to be a lure related to 'Lalitha sahasranamavali in telugu pdf', likely to trick users into downloading a payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8344

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://synerhu.ru/uplcv?utm_term=lalitha+sahasranamavali+in+telugu+pdf PDF link annotation
    • http://altelaw.com/uploads/image/file/21327179604.pdfIn PDF document text
    • http://aaexpansionjoint.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b317953fb85---kufetexot.pdfIn PDF document text
    • https://finestblogger.de/wp-content/plugins/super-forms/uploads/php/files/ifn6vs3q6irqrbtgagdv877d6q/sonotugamedenowugen.pdfIn PDF document text
    • http://ubestsports.com/imager/files/20210606101147.pdfIn PDF document text
    • http://lalitas-thaimassage-spa.de/wp-content/plugins/formcraft/file-upload/server/content/files/160bfd46fa6f33---mikixewixeraperesumom.pdfIn PDF document text
    • http://aiswaryamatrimonials.com/fck_uploads/file/96815868906.pdfIn PDF document text
    • http://www.loockuniformes.com.br/home/wp-content/plugins/formcraft/file-upload/server/content/files/1606cc8c423c1c---15480037394.pdfIn PDF document text
    • http://www.fotografoeventimilano.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bab198adaad---43711462961.pdfIn PDF document text
    • http://simonide.org/userfiles/file/rujufiru.pdfIn PDF document text
    • https://bringem.de/wp-content/plugins/super-forms/uploads/php/files/c98f612c036820c26682c740c463ad42/47674074132.pdfIn PDF document text
    • https://sckstone.com/wp-content/plugins/super-forms/uploads/php/files/cdb6a7bf249a03d1fda3b27c04badb91/58554874010.pdfIn PDF document text
    • http://smartmedicaleg.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b7fbc176fcb---fizivijeguwed.pdfIn PDF document text
    • http://banhangcongnghe.com/upload/FCK/file/99346122.pdfIn PDF document text
    • https://www.americanapi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607ebad99b862---woviketedelodepomutuxedil.pdfIn PDF document text
    • http://chocolatycakes.com/wp-content/plugins/formcraft/file-upload/server/content/files/16078ab21b37b0---muregejoxizolisusajepidej.pdfIn PDF document text
    • http://purpledoorchurch.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072af5047948---72689093788.pdfIn PDF document text
    • https://carpanea.it/wp-content/plugins/super-forms/uploads/php/files/82d8f4e56c944414095aca6fa8a2a8d7/wotozosugepuxalu.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010447.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10447 5456 bytes
SHA-256: 3435590630d79ee95c75c130d33f0821a1d8b29cd84fb4fff83bf4a75ab02a2d
font_01_sfnt_off000116b4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x116B4 3452 bytes
SHA-256: 7873ce204dc0b3caf66a641f27de4f482a624bb61428a6553c5bc215d34534b5
font_02_sfnt_off00012439.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12439 11976 bytes
SHA-256: ac62c4cfb8e53b8253015745b8666c37bb31ce34b560ed31da97cbbb25626c64