Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb96244bfdbe8f33…

MALICIOUS

PDF

96.0 KB Created: 2021-08-18 08:24:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14
MD5: 4ea1a9cec0ac179055acfc5a936c3b9c SHA-1: b25125130f105492111fe6f6ceda6069de315980 SHA-256: eb96244bfdbe8f33cc44e490729adce8789eef7bbd44de5c3aa21c56a1cb0ba8
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link farm pointing to multiple compromised WordPress sites, likely intended to trick users into downloading malicious files. The ClamAV detection and ML classifier strongly indicate malicious intent, classifying it as a phishing trojan. While no scripts were directly extracted, the PDF structure and URL patterns are consistent with phishing lures designed to facilitate further malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5181

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cuacuonbentre.com/upload/files/woradagunalikaxikidum.pdf In PDF document text
    • http://nfrostov.ru/upload/files/vipivimifivuxifef.pdfIn PDF document text
    • https://drahmetbostanci.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b07f546fae---31734120496.pdfIn PDF document text
    • https://www.medipratik.com/wp-content/plugins/formcraft/file-upload/server/content/files/16091696524468---11821800275.pdfIn PDF document text
    • http://totaleclipsenv.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a9d4566ad74---10758936386.pdfIn PDF document text
    • http://kythuatviet.vn/uploads/userfiles/file/silalomatoxupibox.pdfIn PDF document text
    • https://themodernla.com/wp-content/plugins/super-forms/uploads/php/files/03ae1aa631fc4d1236ba089f23384380/75489923294.pdfIn PDF document text
    • https://aljazeerahdrilling.com/userfiles/files/nebimasobexamosu.pdfIn PDF document text
    • http://rbc-bezorgdiensten.nl/upload/81572810287.pdfIn PDF document text
    • https://snabavto.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b09eddc6a87---nekusije.pdfIn PDF document text
    • http://ophtalmic-overnight.fr/wp-content/plugins/formcraft/file-upload/server/content/files/16105dc7d5c872---pibaxejerozid.pdfIn PDF document text
    • http://salocchi.it/userfiles/files/72200816744.pdfIn PDF document text
    • http://www.pattyn360.com/upload/forum/files/fejorojiwu.pdfIn PDF document text
    • http://email-database.info/userfiles/file/76264180899.pdfIn PDF document text
    • http://www.davidwoodpersonnel.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f5fa94f31d---minutokot.pdfIn PDF document text
    • https://veglifekc.org/wp-content/plugins/super-forms/uploads/php/files//lavor.pdfIn PDF document text
    • https://xn--1--8kcai1ck2bs.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/4bf1a41ba14d8ddda37908169854ba4d/81263895155.pdfIn PDF document text
    • http://indecomavo.pl/inc/6091409135.pdfIn PDF document text
    • https://propbrains.com/wp-content/plugins/super-forms/uploads/php/files/ea2c887c44723462f755bbf66b520a64/nafiwerosuga.pdfIn PDF document text
    • https://ctners.com/ckfinder/userfiles/files/dalujifuzigokul.pdfIn PDF document text
    • http://ypperfect.com/ckfinder/userfiles/files/sesirepuveg.pdfIn PDF document text
    • http://virtualcharityevents.com/vce_cake/files/files/kipazanugafagiluxujez.pdfIn PDF document text
    • http://www.neslihanonur.com/wp-content/plugins/super-forms/uploads/php/files/eb1f46dc3578489ee1f14277e08e84f0/moxiga.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/Om9ozkHLxGw/uplcv?utm_term=integrated+chinese+level+1+part+2+workbook+answer+key+lesson+12PDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000156bb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x156BB 4076 bytes
SHA-256: 99e6f4bbf1ca44f6b16b41bc2c08a6d8abba3ce7e99cd0be29a7de101b6165a8
font_01_sfnt_off0001665e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1665E 11416 bytes
SHA-256: ba8babadd6b0e1111a1216d2c39b339ee5d316ad07954e4758d4d14455f075b3