Malicious PDF — malware analysis report

Static analysis result for SHA-256 f4bcd6e693499881…

MALICIOUS

PDF

76.4 KB Created: 2021-06-13 09:53:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b8c5313583cf16de8c65471c643c52e2 SHA-1: 7a50f8521b910130df6808b0e710ce81eb02b29e SHA-256: f4bcd6e6934998812b69a7a05a5b11872e2dfd25e4a82eb3ac4a3473dbb7b018
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded URLs, many of which point to compromised websites or disposable hosting, suggesting a phishing or malware distribution attempt. The presence of a 'link farm' heuristic and the ClamAV detection as 'Pdf.Phishing.Trojan' strongly indicate malicious intent. Although no scripts were explicitly extracted, the embedded URLs are the primary mechanism for delivering a malicious payload or redirecting users to phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8826

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/uplcv?utm_term=1vs1+lol+aimbot
    • https://investmentskillsgroup.com/images/userfiles/file/jerapogelisupokifozir.pdf
    • https://cradlegold.com/wp-content/plugins/super-forms/uploads/php/files/at8a724nupd488bfq6svvu59t8/74294969726.pdf
    • http://vorne-sitzen.eu/pcms/content/file/fuporimakinan.pdf
    • http://bloomx.com/sites/all/sites/bloomx.com/files/99591709084.pdf
    • https://claphamjunction.com.au/wp-content/plugins/super-forms/uploads/php/files/af8f6b242a0ff5adde18f985d7aa8bf1/38702190675.pdf
    • https://askopenko.com/wp-content/plugins/super-forms/uploads/php/files/44fe76b652acf42f716c0780f44081f7/lenona.pdf
    • http://omonetach.pl/foto/ilustracje/file/32571627317.pdf
    • https://adbetelparaguay.com/wp-content/plugins/super-forms/uploads/php/files/bf59946eb4992d69b73d0d245f5de9a1/vilivupodojidi.pdf
    • https://www.opdrrustukalac.com/wp-content/plugins/formcraft/file-upload/server/content/files/160987962c3750---74212025751.pdf
    • http://bebelino.ru/userfiles/file/30924747957.pdf
    • http://lichnyiybrand.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160ac97a27d767---biwexubagunezewobekegimor.pdf
    • http://orbitsecurity.qa/pro_mvp_tech/uploads/file/tisizokigagoveb.pdf
    • http://www.centralperdana.com/file/buxure.pdf
    • http://clinicacomciencia.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160c0b7c417194---tibawotujoxevuw.pdf
    • https://christembassyromford.org/wp-content/plugins/super-forms/uploads/php/files/bffd9140c476e41e51537f30b4b36588/xawuzupudoveduzuxabu.pdf
    • http://aiswaryamatrimonials.com/fck_uploads/file/27114049606.pdf
    • https://www.conkite.com/wp-content/plugins/super-forms/uploads/php/files/282e10d062b71b2c09809fec066fc2e8/buwumumozoxadevimawig.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e9ec.bin
a8ec72ae0c984d28b23ef12bd9ec306746529bd97d336f22634327c827abedb3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE9EC 9484 bytes
font_01_sfnt_off000102db.bin
9543965855d6452a458f88b48957712408b7a3bb80d366235e90351eb8778e23		 pdf-font-stream PDF embedded font (sfnt) at offset 0x102DB 4892 bytes
font_02_sfnt_off00011370.bin
ee002f9d7cf5d651ad0eba3473dc73392017ef79731b332ec9997222e17b427b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11370 4248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.