Malicious PDF — malware analysis report

Static analysis result for SHA-256 ed5826f26982a3c5…

MALICIOUS

PDF

91.5 KB Created: 2021-09-09 02:54:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: 9fb09c841aaa97e25a51f79923302cdd SHA-1: 5ad129cd0da05d495aeaf657bef092c0669f3010 SHA-256: ed5826f26982a3c5b43cd84cde840ab86d8eb1775f039c5227a5d5decc823406
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file was identified as malicious by ClamAV with a 'Pdf.Phishing.Trojan' signature. Static analysis revealed it functions as a link farm, containing numerous URLs pointing to external sites. Several of these URLs are hosted on compromised WordPress installations or disposable domains, indicating a likely intent to lure users to phishing pages or sites hosting malware.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4066

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pixomot.ru/uplcv?utm_term=android+notification+small+icon+not+showing PDF link annotation
    • http://precisionsurgicalworks.com/alpha/ckfinder/userfiles/files/93597434410.pdfIn PDF document text
    • https://ever.dacola.com/upload/files/tozexanazele.pdfIn PDF document text
    • https://echipamente-scule.ro/userfiles/file/23355415335.pdfIn PDF document text
    • http://minuspk.ru/minuspk.ru/userfiles/file/38179748599.pdfIn PDF document text
    • https://makojudo.pl/zdjecia/fck/file/farokeboguw.pdfIn PDF document text
    • http://canadianrockies.info/files/file/zoziwaj.pdfIn PDF document text
    • https://cakkue.com/contents/files/miwidet.pdfIn PDF document text
    • https://zzhqhi.com/d/files/newurutuxol.pdfIn PDF document text
    • http://op-gold.com/ck_image/files/vomevixux.pdfIn PDF document text
    • http://ristoranteyuri2.com/userfiles/file/1375463535.pdfIn PDF document text
    • https://dfa-finanz.de/wp-content/plugins/formcraft/file-upload/server/content/files/161376d47a4bea---kegurozodetofabamaxalip.pdfIn PDF document text
    • http://china-miyaco.com/img/file/20219414230.pdfIn PDF document text
    • https://www.carlosfunes.es/wp-content/plugins/formcraft/file-upload/server/content/files/1613879b0050bd---74524600432.pdfIn PDF document text
    • http://cu-hinothai.com/ckfinder/userfiles/files/25272972875.pdfIn PDF document text
    • http://iraneto.com/basefile/iranetocom/files/nuwisigasaj.pdfIn PDF document text
    • http://zakuskymoser.cz/www/ckfinder/userfiles/files/8792749105.pdfIn PDF document text
    • http://chothuexeninhbinh.net/data/dulieu/files/63654942284.pdfIn PDF document text
    • https://www.karavanlakesfet.com/wp-content/plugins/super-forms/uploads/php/files/515f23adec88d059fdaeb94d6eba2d78/8065683498.pdfIn PDF document text
    • https://implant-drill.com/userfiles/file/26554007886.pdfIn PDF document text
    • http://trackeg.com/en/wp-content/plugins/formcraft/file-upload/server/content/files/1613610f7bdb04---35562763536.pdfIn PDF document text
    • http://gewald.ru/content/Files/15058001983.pdfIn PDF document text
    • https://bibliotheque-des-arts.com/ckfinder/userfiles/files/redigimol.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011d18.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11D18 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0001352a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1352A 18632 bytes
SHA-256: a8d04b1b94e2e6f2bd016fb658dd0f2464c23a033fdf0b5b9f7f40fbbb5859ec