Malicious PDF — malware analysis report

Static analysis result for SHA-256 e42d402e30b2a8bc…

MALICIOUS

PDF

56.9 KB Created: 2021-07-29 21:27:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: bb9f9cbaa4a77095b2f1e5366ab2b33d SHA-1: c4a7a7381e21d26e6a23e3d69802dca3faaea124 SHA-256: e42d402e30b2a8bc18754788e5cffd6eeaf4428fc5c32340990c914da4cfc5b9
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged by multiple heuristics, including ML classification and ClamAV, indicating malicious content. It contains an embedded JavaScript stream and a link farm pointing to compromised WordPress sites, suggesting an attempt to redirect users to malicious content. The presence of numerous external URIs and the 'PDF_SEO_DISPOSABLE_LINK_FARM' heuristic strongly suggest a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9720

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://snabavto.com/wp-content/plugins/formcraft/file-upload/server/content/files/160acb48849106---jadanenopivapu.pdf In PDF document text
    • https://www.studioline.ie/ckfinder/userfiles/files/98568248474.pdfIn PDF document text
    • https://alignerco.com/wp-content/plugins/super-forms/uploads/php/files/03e064f52f3d796e3ccf607b9e0ee4b7/86985911991.pdfIn PDF document text
    • https://leicht-spb.ru/wp-content/plugins/super-forms/uploads/php/files/689bb3938d1160b8a64f56fcc2387af6/6492107012.pdfIn PDF document text
    • http://okudshava.ru/userfiles/file/1847339414.pdfIn PDF document text
    • http://bellina.pl/userfiles/file/87322027687.pdfIn PDF document text
    • http://nicenpos.com/userData/board/file/2179750343.pdfIn PDF document text
    • http://red-persimmons.com/upfiles/editor/files/tutarokexamizafejo.pdfIn PDF document text
    • https://yarsan.ru/wp-content/plugins/super-forms/uploads/php/files/c5972bc4827d99a7c4e98b67820cc4d8/jupifubij.pdfIn PDF document text
    • https://jamiatulbanat.in/wp-content/plugins/formcraft/file-upload/server/content/files/160703f6100d43---12149970315.pdfIn PDF document text
    • http://maekalocal.com/Maeka/UserFiles/File/12254673384.pdfIn PDF document text
    • http://www.tecnotrefg.it/wp-content/plugins/formcraft/file-upload/server/content/files/1609e53e594800---26196784434.pdfIn PDF document text
    • https://www.audioclinica.pt/wp-content/plugins/super-forms/uploads/php/files/rnnlnk9f0spgigq5t017oqru72/duxuxijisi.pdfIn PDF document text
    • https://macauroommate.com/ckfinder/userfiles/files/34621966966.pdfIn PDF document text
    • http://objetivovender.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609ee8a0ecf09---80780743137.pdfIn PDF document text
    • https://sfasg.jp/js/ckfinder/userfiles/files/buzorowazesite.pdfIn PDF document text
    • http://jfhcoaching.com/userfiles/files/zuwenagozizovir.pdfIn PDF document text
    • https://www.allterra.group/wp-content/plugins/super-forms/uploads/php/files/274fcf5db07d8bbc4ebac031fd0289c2/rowol.pdfIn PDF document text
    • http://www.primalegal.eu/wp-content/plugins/super-forms/uploads/php/files/nv35nb8b5j93v0mvnm24ekvnc2/84983263781.pdfIn PDF document text
    • http://cuacuongiare.vn/upload/files/fosurumobojepevef.pdfIn PDF document text
    • https://www.hotwaterfactory.com.au/wp-content/plugins/super-forms/uploads/php/files/1018369921ac7c4da1ddec69aec429da/4138317101.pdfIn PDF document text
    • http://driver-jazda.pl/upload/file/vamixamikitusarewiv.pdfIn PDF document text
    • http://budka39.ru/files/vijalumomedexumoweji.pdfIn PDF document text
    • http://www.jhannahs.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d65122e3aba---masomepinedowid.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1KS0DP0cxss/uplcv?utm_term=kpss+2020+t%C3%BCrk%C3%A7e+paragraf+soru+bankas%C4%B1+pdf+pegemPDF link annotation

Open this report in the interactive analyzer, or submit your own file for analysis.