Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5870f7f21f55d8e…

MALICIOUS

PDF

75.7 KB Created: 2021-09-08 10:42:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: 6bd7b4f2a77a37b9396949bdb9eb790b SHA-1: 636284819e16d888eed5b66e8ed3153bd1e75e1b SHA-256: e5870f7f21f55d8e6af4ef01826d0e895df00392c961dd54f570ace375fc523c
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links pointing to compromised WordPress sites and disposable domains, indicating a phishing or malware distribution campaign. The ClamAV detection and ML classifier strongly suggest malicious intent. The document body is unreadable binary data, but the heuristics and URLs clearly show a pattern of redirecting users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7568

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crysiq.ru/uplcv?utm_term=ysr+housing+application+pdf PDF link annotation
    • https://pinpointfeedtech.com/ckfinder/userfiles/files/zodidawanaditate.pdfIn PDF document text
    • https://zold-kommando.hu/files/27470131111.pdfIn PDF document text
    • https://autoschiller.de/wp-content/plugins/formcraft/file-upload/server/content/files/160acf19ee25ed---zufisogomape.pdfIn PDF document text
    • http://www.iso-clean.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160fc98414ba18---metigidawagubefu.pdfIn PDF document text
    • https://rebel-guitars.com/wp-content/plugins/super-forms/uploads/php/files/d36330682fa18b511da19211731dbd85/wazukijewa.pdfIn PDF document text
    • http://www.fattyweng.com.sg/wp-content/plugins/formcraft/file-upload/server/content/files/160971b0ae563a---tumenujefijimopazitog.pdfIn PDF document text
    • http://stroynerud-sm.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160badca2d0967---falapomovixu.pdfIn PDF document text
    • http://jun-travel.com/userfiles/file/76911804412.pdfIn PDF document text
    • http://videoacceso.com/wp-content/plugins/formcraft/file-upload/server/content/files/1611be1f252463---9416487173.pdfIn PDF document text
    • https://alexandrapanayotou.com/web/images/static/file/97190488838.pdfIn PDF document text
    • https://fietenhaardenenkachels.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160ac45725b466---sexuzoketifusufozixi.pdfIn PDF document text
    • http://pololanna.com/user_img/files/dikegadakipurifuzuporifa.pdfIn PDF document text
    • http://lmalaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/19968046358.pdfIn PDF document text
    • http://statsale.com/data/upload/ck/files/86343970978.pdfIn PDF document text
    • http://otelm4b.ru/admin/ckfinder/userfiles/files/vedamizovidune.pdfIn PDF document text
    • https://beautydiction.com/ckfinder/userfiles/files/negurukunusebuzub.pdfIn PDF document text
    • http://win-sonic.com/kida2018/ck_imgs/files/29489178177.pdfIn PDF document text
    • https://ccveg.org/wp-content/plugins/super-forms/uploads/php/files/bv31nahrbsahas8g59rso3vstg/18251468200.pdfIn PDF document text
    • http://alemotta.com/resources/original/file/zajaluraputis.pdfIn PDF document text
    • https://amkboiler.com/wp-content/plugins/super-forms/uploads/php/files/j32eetne51vselgthhok1dr0gk/32122897063.pdfIn PDF document text
    • https://www.advids.io/wp-content/plugins/formcraft/file-upload/server/content/files/1609d1bd02e695---11718805538.pdfIn PDF document text
    • http://hermandadperdon.es/userfiles/file/buzivuzago.pdfIn PDF document text
    • http://xmzs.org/userfiles/file/duposaremixivedonopabojo.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f4df.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF4DF 17212 bytes
SHA-256: 1f01032e5182cf58578e0088ff23e4b8ce0af921e0fd5ec9c638ca70a10df9d8