Malicious PDF — malware analysis report

Static analysis result for SHA-256 ecf1110ed9a737b2…

MALICIOUS

PDF

59.5 KB Created: 2021-09-06 10:27:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: 11f7313f87ccf6d99570b4dd76b59410 SHA-1: 35acabbf3aaa642d467f6268f44dc292859cb598 SHA-256: ecf1110ed9a737b244ac5ae1f20411b22ae729d3820a53b0c4caddb934e5385e
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or malware distribution attempt. It contains numerous links pointing to compromised WordPress sites and other domains, likely serving as a link farm to redirect users to malicious content. The presence of external URIs and link farms suggests an attempt to direct users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7110

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://catamma.ru/uplcv?utm_term=sumas+y+restas+con+y+sin+llevadas+pdf PDF link annotation
    • http://skuplaptop.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160ba8da399fe7---85787178726.pdfIn PDF document text
    • https://www.enviedecrire.com/wp-content/plugins/formcraft/file-upload/server/content/files/16077b6dd06225---miwat.pdfIn PDF document text
    • http://www.socalgreatwhite.com/wp-content/plugins/formcraft/file-upload/server/content/files/160728545d1a30---fonewaxur.pdfIn PDF document text
    • http://caramelitos.sk/files/23514328190.pdfIn PDF document text
    • https://georgiamusicpartners.org/wp-content/plugins/super-forms/uploads/php/files/9c2c6ed7dbc1d459252585bd508cad62/85776373546.pdfIn PDF document text
    • https://lynnesnaturaltreats.com.au/wp-content/plugins/super-forms/uploads/php/files/0b46f5b4380da145d3d4af2fed79377d/detepaluzokim.pdfIn PDF document text
    • https://webtraffic.ch/wp-content/plugins/super-forms/uploads/php/files/nc4gtimrptji903ojgch0k3a3q/bawifavufulofa.pdfIn PDF document text
    • http://glovimex.com/uploads/ckfinder/files/jopokuge.pdfIn PDF document text
    • http://mobilni-kadernictvi.cz/files/file/79823987133.pdfIn PDF document text
    • http://www.191seo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607ddfd6264e1---4911775408.pdfIn PDF document text
    • http://cuatro-pr.org/sites/default/files/file/wimuwisatozivewe.pdfIn PDF document text
    • https://artsketch.ru/wp-content/plugins/super-forms/uploads/php/files/49a0222b2265b2f284b0115b32c2b2d0/82484922212.pdfIn PDF document text
    • http://iccjsc.com/images/uploads/files/fobifimofukegogavapevubo.pdfIn PDF document text
    • https://webgirls-studio.com/wp-content/plugins/formcraft/file-upload/server/content/files/1612e02aeda9c2---20175326812.pdfIn PDF document text
    • https://divinenine.net/userfiles/file/jupilijunupuveriviwofezim.pdfIn PDF document text
    • https://ottopianos.nl/files/modedekagelulovixuw.pdfIn PDF document text
    • https://readxyz.org/wp-content/plugins/super-forms/uploads/php/files/4f0983a9d46da84cce7b734499095182/29548644523.pdfIn PDF document text
    • http://extintoresorigen.com/images/editor/lozokoretelazoxutupa.pdfIn PDF document text
    • http://delve-cr.com/uploads/vilivolavexig.pdfIn PDF document text
    • http://friluftsgruppen.se/wp-content/plugins/formcraft/file-upload/server/content/files/160bed964820ec---fewewemezenevefanubirubav.pdfIn PDF document text
    • http://piau-po21inn.com/CKEdit/upload/files/34705275216.pdfIn PDF document text
    • http://ekolojikweb.net/upld/userfiles/file/48495472587.pdfIn PDF document text
    • https://www.baptistenhardenberg.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1610b52bb1917d---fironobetene.pdfIn PDF document text
    • http://russia-ex.com/images/blog/file/2314251502.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d136.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD136 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1