Malicious PDF — malware analysis report

Static analysis result for SHA-256 edf99d465ecc7831…

MALICIOUS

PDF

63.6 KB Created: 2021-07-17 02:28:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: c598933716d8eae95816f8ca4fcdc2cc SHA-1: 74fd86ee7c4b4adc8269a65425340b7608e3d917 SHA-256: edf99d465ecc7831a9a024998295111c318a40cb385c0a94480ca837b9e085bf
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV and exhibits characteristics of a link farm, with numerous URLs pointing to potentially compromised or disposable hosting. The presence of 'SE_LOLBIN_RUN_COMMAND' suggests an attempt to execute commands, likely facilitated by embedded scripts or external links. The document body is unreadable, but the heuristics indicate a malicious intent to redirect users to external sites.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4957

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://247hvac.ca/fabulous1/uploads/files/88221041502.pdf In PDF document text
    • https://beaufortbond.com/wp-content/plugins/super-forms/uploads/php/files/0dcfdaa9845bfd3fe0d41206dde2e287/tivimudarolona.pdfIn PDF document text
    • http://grandinhr.eu/images/user/file/88990990519.pdfIn PDF document text
    • http://cargo3030.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1608fc57cc5837---3013927188.pdfIn PDF document text
    • http://china-zub.ru/userfiles/file/vojavelajamejefezeji.pdfIn PDF document text
    • http://www.unidacardoso.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1608c35c04f947---dikorufutosezefugaxi.pdfIn PDF document text
    • https://nailseasupportgroup.com/wp-content/plugins/super-forms/uploads/php/files/27088a0b2f4dc9cd7120e307e9f8b754/vogeviza.pdfIn PDF document text
    • https://medtek.vn/storage/file/62230930592.pdfIn PDF document text
    • http://labonguyenhoang.com/img-chamthi/files/92444302795.pdfIn PDF document text
    • http://vladjurnalist.ru/archive/file/68789835833.pdfIn PDF document text
    • https://formapolis.it/wp-content/plugins/super-forms/uploads/php/files/6da8d1b1b2fdbbac15678ec6a7d5231a/tejafo.pdfIn PDF document text
    • http://www.commandinglife.com/wp-content/plugins/formcraft/file-upload/server/content/files/160954e0bd1e4c---48187539617.pdfIn PDF document text
    • https://totalyoumovement.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ec4a879a870---gupejemosawimafa.pdfIn PDF document text
    • http://baigeleather.com/userfiles/file/79943945618.pdfIn PDF document text
    • https://didacostruzioni.it/userfiles/file/dofupebesekodutixor.pdfIn PDF document text
    • http://saamfactory.com/wp-content/plugins/super-forms/uploads/php/files/6d842b0a0e1e80661a29e44c17b09572/30267456470.pdfIn PDF document text
    • http://hanasushi6.com/uploads/files/81010160336.pdfIn PDF document text
    • http://www.sunarozlem.com.tr/wp-content/plugins/super-forms/uploads/php/files/4tcmd60c6ap7eamaiapm9hct76/zubotuzinepibivunaduna.pdfIn PDF document text
    • http://king-ber.com/UploadFiles/file/20210708053201864.pdfIn PDF document text
    • http://kondicionery-dolgoprudny.ru/upload_picture/file/resotagopiduzolufumudamed.pdfIn macro / runtime command snippet
    • https://www.mybizwebsites.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609f4f2b21052---56154330723.pdfIn PDF document text
    • https://nada70.org/userfiles/file/nigixupewifubizat.pdfIn PDF document text
    • https://pyhm.ca/wp-content/plugins/super-forms/uploads/php/files/k7i47f4lr65k9cmos54pmu6fo0/84940223541.pdfIn PDF document text
    • https://vidolamerica.org/wp-content/plugins/super-forms/uploads/php/files/95838f1f3f83c7a066f977bde8a5b184/17958155364.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/LPIa9PGmDLg/uplcv?utm_term=is+there+a+comma+before+quotesPDF link annotation

Open this report in the interactive analyzer, or submit your own file for analysis.