Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7c7d6fb22d69d81…

MALICIOUS

PDF

78.3 KB Created: 2021-08-08 13:05:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: 8284c7c55b4357e9103433a3bfd5214c SHA-1: 91175c7d5dc8ed8a51e7ed5cc3d6b2ea1058dc09 SHA-256: e7c7d6fb22d69d819ec28d0c2625ea45c0bb2f4c1379e8353d5782ce5f641a7c
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file was detected as a malicious PDF by ClamAV and an ML classifier. It contains numerous embedded URLs, many of which point to compromised websites or disposable hosting, suggesting a link farm designed to redirect users to malicious content. The presence of these links and the overall structure indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9478

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://chcial.ru/uplcv?utm_term=macbeth+quotes+and+analysis+pdf PDF link annotation
    • https://envida-nieuws.nl/bsb_website/upload_fck/file/nebitapa.pdfIn PDF document text
    • http://xn--aknmedcal-wpbe.com/uploads/file/33499105661.pdfIn PDF document text
    • http://kojeneckezbozi.eu/userfiles/file/bogipovosimawiduwuturije.pdfIn PDF document text
    • https://rybczewice.pl/userfiles/file/90209831611.pdfIn PDF document text
    • http://www.hkqi.com/wp-content/plugins/formcraft/file-upload/server/content/files/16100285ea3a5f---90656964802.pdfIn PDF document text
    • http://ozkayalartrans.com/userfiles/file/gososuluwemomopemamanune.pdfIn PDF document text
    • http://planao.com/ckfinder/userfiles/files/51514109611.pdfIn PDF document text
    • https://polinagerz.ru/wp-content/plugins/super-forms/uploads/php/files/3ae3o8j7lv7n18smej9n3sa5ns/45115247587.pdfIn PDF document text
    • https://heyratacademy.ir/file/dajafewipix.pdfIn PDF document text
    • http://bright-mineral.com/uploadfile/file/2021061222052292.pdfIn PDF document text
    • https://selectwifi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b84e87eb71---43317641546.pdfIn PDF document text
    • http://www.chicagoalphas.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609470d919198---9719374970.pdfIn PDF document text
    • http://www.phonefixcomo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160be6bca25d0c---naguxisijekiwomebekezo.pdfIn PDF document text
    • http://ganan10.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/16095eb60e3144---86874845527.pdfIn PDF document text
    • https://chsins.tw/uploads//files/202108081438036949.pdfIn PDF document text
    • http://peneleos.pl/userfiles/file/lomapepikigetugusuvepe.pdfIn PDF document text
    • https://vdbergelectro.nl/wp-content/plugins/super-forms/uploads/php/files/9fde0215866a64e954beae489375275f/23311843005.pdfIn PDF document text
    • https://www.spreefahrten-berlin.de/wp-content/plugins/super-forms/uploads/php/files/fd8ok5ddrs25fnrd5ibtsh344o/11323446943.pdfIn PDF document text
    • https://xn--64-mlcufjjaii0l.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/27cca0c0191ca4e446140e3692e2eff4/kosajagebekowogimef.pdfIn PDF document text
    • http://jessicarossitto.com/clients/7/7c/7c16b8c799dae9ffcd1258f31d6ff645/File/53687669477.pdfIn PDF document text
    • https://fotojursa.cz/userfiles/file/buxosulopeziboluvovipibo.pdfIn PDF document text
    • https://sckstone.com/wp-content/plugins/super-forms/uploads/php/files/3cf8fc33448b7a84066c8c9ad60e45f1/34096460849.pdfIn PDF document text
    • https://www.americanapi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bbcfa71420c---45451303264.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010e6f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10E6F 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.