Malicious PDF — malware analysis report

Static analysis result for SHA-256 eaafbb4e1c841af9…

MALICIOUS

PDF

79.7 KB Created: 2021-05-22 05:15:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-07
MD5: 06dd37e140fed0a4ec4f87d8f15e1566 SHA-1: 73ac8c6d80eda60e6467b3cd905def75aefba737 SHA-256: eaafbb4e1c841af9ba59c013281221c3e78ed7d2193c9a3782ef27e8125b6c5d
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, many of which point to compromised WordPress sites and disposable hosting, suggesting a link farm or phishing lure. The ClamAV detection as 'Pdf.Phishing.Trojan' and the ML classifier further support its malicious nature. The document body, though heavily obfuscated, appears to be a lure related to sensor calibration, intended to mask the malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5942

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://worksafeorg.com/wp-content/plugins/super-forms/uploads/php/files/395qsql7pmu1lk0ccsf206tvg4/56744004086.pdf In PDF document text
    • https://ancoraeducacion.com/images/tegukovamurek.pdfIn PDF document text
    • http://www.urbanwaterways.info/files/96594707611.pdfIn PDF document text
    • https://www.makathastaliklari.net/wp-content/plugins/formcraft/file-upload/server/content/files/16072b8e5d9250---vonozuzijosobijevutidiz.pdfIn PDF document text
    • http://afgventuregroup.com/cfiles/file/gazadisusivibufupujap.pdfIn PDF document text
    • https://www.helpforbusymums.com/wp-content/plugins/super-forms/uploads/php/files/deceab55681f9680829cf9cf699a104a/52211832384.pdfIn PDF document text
    • https://adbadog.com/wp-content/plugins/super-forms/uploads/php/files/75c1ce039b59ab7693ff05defe2cd066/11825913641.pdfIn PDF document text
    • https://www.fecomerciomg.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607d1a1a6b6d2---tavokixopote.pdfIn PDF document text
    • http://www.ponderosafestival.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f514d267c3---kiwinereruzadegupon.pdfIn PDF document text
    • http://kameleonhastanc.hu/files/file/sijos.pdfIn PDF document text
    • http://younewstoday.com/task/userimages/file/33515801446.pdfIn PDF document text
    • http://math-talk.kr/wp-content/plugins/super-forms/uploads/php/files/525bnjhn2mbviobt0uh4i63abl/53662781357.pdfIn PDF document text
    • https://atlanthealth.com/wp-content/plugins/super-forms/uploads/php/files/2dcd6cc0db2b6849247799e05ad212e9/fegewanogutabiv.pdfIn PDF document text
    • https://www.alertgy.com/wp-content/plugins/super-forms/uploads/php/files/82735d042cbb339ddf45975a000be476/wemisuzudivirar.pdfIn PDF document text
    • https://voolabs.com/wp-content/plugins/formcraft/file-upload/server/content/files/160864f4ca7bf9---37011461996.pdfIn PDF document text
    • https://www.ibyservice.com/wp-content/plugins/super-forms/uploads/php/files/0b11695b8803c77aff9806426b4ab0b6/lusexalelelit.pdfIn PDF document text
    • http://www.pilonidalsinus.gen.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1608177a20306b---medato.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/ngfLrbzwjls/uplcv?utm_term=how+to+calibrate+lm35+temperature+sensorPDF link annotation
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fe58.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFE58 5560 bytes
SHA-256: fc83caec4f1fd968c8d273fd72b71d818bc0fdbeea018c19973ff76121b645dc
font_01_sfnt_off0001112c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1112C 1700 bytes
SHA-256: ffc5a1fddbc23a1066b81b00fb9bdac64a2f0adc7688f1fa6511a48ab54a061b
font_02_sfnt_off000119a3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x119A3 11956 bytes
SHA-256: 7535534e838c584ac96f9695769b289c12a554479bf7ced7d86621b102c40da5

Open this report in the interactive analyzer, or submit your own file for analysis.