Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea9ac9819959ab5f…

MALICIOUS

PDF

72.1 KB Created: 2021-08-10 09:03:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-05
MD5: 3b5e03be522bdc19a329210efa6f8785 SHA-1: 943a6dd7a72f372f48e6a220168d831ac7801748 SHA-256: ea9ac9819959ab5fdfe303ad5ee450716020cd19a88cf45a400449b9d5dd77ea
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF was detected as malicious by ClamAV and an ML classifier, and heuristics indicate it functions as a link farm. It contains numerous URLs pointing to compromised WordPress sites and other disposable hosting, suggesting an attempt to redirect users to malicious content. The `wkhtmltopdf` authoring application and the presence of embedded URLs are consistent with phishing or malware distribution campaigns.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6804

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crewmak.ru/uplcv?utm_term=what+is+security+analysis+tools PDF link annotation
    • http://boek.se/bilder_umeny/File/momazisagafumibis.pdfIn PDF document text
    • http://cga82.com/admin/File/vejiraseta.pdfIn PDF document text
    • http://salonlomi.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160c21b875adf9---56065314499.pdfIn PDF document text
    • http://studioingegneramato.com/userfiles/files/nixegimapobomeka.pdfIn PDF document text
    • http://learnazia.com/fck/imagesfile/84892330358.pdfIn PDF document text
    • http://www.bandungmesin.com/file/tuvekojip.pdfIn PDF document text
    • https://www.prowallpanama.com/wp-content/plugins/super-forms/uploads/php/files/e6fcece3af29746b263dac680f24fa05/pixakozubizupixe.pdfIn PDF document text
    • https://webmodeli.com/wp-content/plugins/formcraft/file-upload/server/content/files/160be31bf73bd0---tobozit.pdfIn PDF document text
    • https://autotrilogy.com/wp-content/plugins/super-forms/uploads/php/files/5605035e3bcf50d7029ac235a66a389d/20944207876.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160e4b2c86ea57---duxumam.pdfIn PDF document text
    • https://teenvolunteer.org/wp-content/plugins/super-forms/uploads/php/files/fe2f09a61f10b6eae3450eee1185898c/25274052424.pdfIn PDF document text
    • https://ncfouting.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ee7754879ab---zeraruzonok.pdfIn PDF document text
    • https://peterdegendt.be/file/kumokelizimedetor.pdfIn PDF document text
    • http://4bx.pl/public/file/89283922863.pdfIn PDF document text
    • http://0vote.com/ckfinder/files/tomadofifof.pdfIn PDF document text
    • http://atol-res.pl/uploads/file/nitazediwaxipejek.pdfIn PDF document text
    • http://atraba-holding.com/userfiles/file/60365329572.pdfIn PDF document text
    • http://www.playerclub.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1608ac31cb14df---bagisajidezufuxepunenug.pdfIn PDF document text
    • https://total-sport.pl/img/upload/files/6558889212.pdfIn PDF document text
    • https://bilegt.mn/userfiles/files/39762847824.pdfIn PDF document text
    • https://leavereview.com/customerinterview/ckfinder/userfiles/files/99089658514.pdfIn PDF document text
    • http://samnakthodrahassob.com/userfiles/file/68523553313.pdfIn PDF document text
    • http://www.driftime.ee/wp-content/plugins/formcraft/file-upload/server/content/files/1609062127bfb4---79540741345.pdfIn PDF document text
    • http://resurrection-life.net/userfiles/files/lulevabajomumidavuluvok.pdfIn PDF document text
    • http://jplus-ag.com/upload/files/BodyFile__60D8A60CB3411.pdfIn PDF document text
    • https://prestinieurope.ch/userfiles/files/xasarisoki.pdfIn PDF document text
    • http://2446665a.ru/ckfinder/userfiles/files/mexetotulo.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ffcc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFFCC 10536 bytes
SHA-256: 3bf0eeddde9ccc59022fee8cd444aecc27ca1f0678a6aa9248b966ca775d667b