Malicious PDF — malware analysis report

Static analysis result for SHA-256 edb89c6664037d9b…

MALICIOUS

PDF

76.3 KB Created: 2021-05-02 14:17:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 61a7934a9cf952fa4581b3c3f9322524 SHA-1: a175d6d5cb93655262ccbe290d779c54e3e83e99 SHA-256: edb89c6664037d9b9bcdbbe308e92592044646a8cdac7b80ac1753c5e3ab7a66
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous links pointing to external websites, many of which are hosted on compromised CMS platforms. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates a pattern of using disposable hosting for link farms, suggesting an attempt to distribute or redirect to malicious content. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports a malicious intent, likely related to phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8872

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.davinci.dk/wp-content/plugins/formcraft/file-upload/server/content/files/16079e648dbad2---femofuxorepemisira.pdf
    • http://akbmodel.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f616bd45d0---vavofanulitokifigulu.pdf
    • https://sckstone.com/wp-content/plugins/super-forms/uploads/php/files/87676908222685ca39c8c1ff58c9cddd/12417641611.pdf
    • http://visualpaint.com/wp-content/plugins/formcraft/file-upload/server/content/files/160827b343ee22---bizotusi.pdf
    • https://artsketch.ru/wp-content/plugins/super-forms/uploads/php/files/f834cc6bfe920e6d00dae9939bdfe5dc/nitiw.pdf
    • https://medok18.ru/wp-content/plugins/super-forms/uploads/php/files/a28390b9b26543b1581267d431cf415d/3102007026.pdf
    • http://www.phonefixcomo.com/wp-content/plugins/formcraft/file-upload/server/content/files/16071659057db7---jofoz.pdf
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607626597c829---kupezuzibekikiwafuvaxa.pdf
    • https://fitnessrev.net/wp-content/plugins/super-forms/uploads/php/files/36uhc43j1pv03naidsqkessa8g/83204650012.pdf
    • https://hmv.ir/wp-content/plugins/formcraft/file-upload/server/content/files/1608256035aacc---2739953284.pdf
    • http://socialbomjesus.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607db106c0a07---44399971762.pdf
    • http://www.x454.com/wp-content/plugins/super-forms/uploads/php/files/0b0je584enilkelmp0qnmdps41/kixep.pdf
    • http://pulsrmedia.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608dafe3edee2---sabokomeguvesexazilufu.pdf
    • http://lilit-realty.com/wp-content/plugins/super-forms/uploads/php/files/c6gedlttk9hd79hjjfblfjr6k4/41790204407.pdf
    • http://www.canadiantreasurer.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608608472c2e3---61115266378.pdf
    • https://regalcabs.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16078a77059690---59820755016.pdf
    • https://amalighting.com/wp-content/plugins/super-forms/uploads/php/files/b61c07adfca26778c2cd6af28f5bc14f/18397459604.pdf
    • https://goldengrowers.com/wp-content/plugins/super-forms/uploads/php/files/4dc702b6f79e38e49037e716bf8357b8/pizuvudovedazokuni.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/Uplcv/~3/YTWXjIUwRh0/uplcv?utm_term=me+before+you+movie++filmywap
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa30.bin
9ee279b343614cf705907cab42dc90b6ab09ca9a52ccaf27fe6a9742698a750b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA30 5268 bytes
font_01_sfnt_off00010c2a.bin
3520d0571ed6c502ff8ac8a5dc3d2dafea9e8d53e57c5023e714388b38ec83e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C2A 11576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.