Malicious PDF — malware analysis report

Static analysis result for SHA-256 ec0db08ce16c08da…

MALICIOUS

PDF

138.8 KB Created: 2021-06-27 21:41:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: fdefc3df964ead53926349f1b20b2e81 SHA-1: 2ac9246000ac5d237c43965e727b432047421247 SHA-256: ec0db08ce16c08da651db4553fdd87e289643f759b1593f021b0b169a8125b82
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm pointing to multiple compromised WordPress upload storage locations and disposable hosting. ClamAV detected this file as Pdf.Phishing.Trojan, indicating a phishing or trojan distribution intent. The embedded URLs are designed to redirect users to potentially malicious content.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3318

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.truesdalepainting.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607d1b51324d3---somobetupebuganexime.pdf In PDF document text
    • https://www.mixedclass.com.au/wp-content/plugins/super-forms/uploads/php/files/bn6ugtq29bovf46pgtp9om35vb/bozoburapejoxenebasi.pdfIn PDF document text
    • http://carszana.com/image/upload/File/63976732333.pdfIn PDF document text
    • https://mosconi.net/userfiles/file/pawixolamozodopuni.pdfIn PDF document text
    • https://zoldlepes.hu/userfiles/file/womizapudekugifo.pdfIn PDF document text
    • http://www.advokat.com/app/webroot/img/fck/file/89047694825.pdfIn PDF document text
    • http://olgapolyakova.com/files/files/vizexekufita.pdfIn PDF document text
    • https://gift-edu.ru/wp-content/plugins/super-forms/uploads/php/files/6943c3c3f1b50c9c2d3c6435b689701b/15637606545.pdfIn PDF document text
    • https://www.fmworks.com.tr/wp-content/plugins/super-forms/uploads/php/files/du6el84q9rtlca1rn8mp7957b3/43260503868.pdfIn PDF document text
    • https://lorenzonimmigrationlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/160988cf9d34ed---55093660380.pdfIn PDF document text
    • https://aduanaldelvalle.com/userfiles/file/mawafadaxizosebaxaferu.pdfIn PDF document text
    • http://conservationenergy.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072349b1df15---90498234791.pdfIn PDF document text
    • http://www.skup.it/wp-content/plugins/formcraft/file-upload/server/content/files/160d840777231f---kusunobazexojoribon.pdfIn PDF document text
    • http://udmvdpo.ru/images/files/wufirezosixoniweduje.pdfIn PDF document text
    • http://galettedesrois.hu/userfiles/file/9001667979.pdfIn PDF document text
    • http://zuche0551.com/upload/file/71422915335.pdfIn PDF document text
    • https://sgdivorcelawyers.com/wp-content/plugins/super-forms/uploads/php/files/c85b27a3b8d518199c535560835f4055/92103613226.pdfIn PDF document text
    • http://aptchasers.com/FCKeditor/userfiles/file/demimuzanebo.pdfIn PDF document text
    • https://www.reachcast.ca/wp-content/plugins/super-forms/uploads/php/files/a742e62a33dbd83ca9b5f75b9bf1f077/pasigasoxiravowobudag.pdfIn PDF document text
    • https://cashofferoregon.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608223c7a0cfb---92053746115.pdfIn PDF document text
    • https://binhruamuinanobac.com/wp-content/plugins/super-forms/uploads/php/files/c55dtrk5ktfd4aert7u2d9s2no/89304713482.pdfIn PDF document text
    • http://catgarner.com/clients/873270/File/nisiborevamig.pdfIn PDF document text
    • http://admio.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160ae39f57c810---ninapetamovuxopo.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BvfzZFkJO3s/uplcv?utm_term=were+the+philistines+canaanitesPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001d76a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1D76A 23888 bytes
SHA-256: 95f193564f6fbcbef3286d40c6fb212efde7cfcac8ef8e1230ea126285b74c88
font_01_sfnt_off0002114d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2114D 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.