Malicious PDF — malware analysis report

Static analysis result for SHA-256 f4d53c9752fdf2eb…

MALICIOUS

PDF

93.7 KB Created: 2021-06-20 03:25:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-17
MD5: def9ac2b01b709a516b30f7dbbac695b SHA-1: 2a3b81536eb01bfd8152953a8bf75f6062315f84 SHA-256: f4d53c9752fdf2ebaca9461ed9283a814dad86680aff0c8c6ba3bcb08166b718
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs that point to various websites, many of which are hosted on compromised CMS platforms or disposable domains. This structure strongly suggests a link farm designed to redirect users to malicious sites, likely for phishing or malware distribution. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7235

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://laborke.ru/uplcv?utm_term=d%2526d+3.5+dungeonscape PDF link annotation
    • http://eviljoy.com/UserFiles/File/93183554625.pdfIn PDF document text
    • http://clearlakesd.org/wp-content/plugins/formcraft/file-upload/server/content/files/1609340af646bd---69309972479.pdfIn PDF document text
    • https://www.unicodesystems.com/wp-content/plugins/super-forms/uploads/php/files/l5rudv7sb8hve33s3ian8cobv6/81687185339.pdfIn PDF document text
    • http://armanetti.com/images/lofusumawidojapogemerik.pdfIn PDF document text
    • http://alexhofford.com/temp/files/file/83977113411.pdfIn PDF document text
    • http://verkoop-je-wagen.be/wp-content/plugins/formcraft/file-upload/server/content/files/160782ad9a550f---tasinipariga.pdfIn PDF document text
    • http://alituncer.com/userfiles/file/10055329875.pdfIn PDF document text
    • https://www.charityweiss.de/wp-content/plugins/formcraft/file-upload/server/content/files/16072e5002c5fb---34534912207.pdfIn PDF document text
    • http://inewbus.com/wp-content/plugins/super-forms/uploads/php/files/j7ia0pra3jor05bt9rplm6n0h3/97048935740.pdfIn PDF document text
    • https://www.karavanlakesfet.com/wp-content/plugins/super-forms/uploads/php/files/95a713289dce15d5ffedbb3d804266e7/76920741899.pdfIn PDF document text
    • http://www.aluvascientific.com/UserFiles/file/98532336291.pdfIn PDF document text
    • http://www.next-conseil.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1608f818c6a695---nijedipadiwopifedexavob.pdfIn PDF document text
    • http://bluekeydigital.com/images/pic/file/gamuwuwebawoluzik.pdfIn PDF document text
    • http://www.sempresaude.net/wp-content/plugins/formcraft/file-upload/server/content/files/1609bcea8ad8f6---3161403796.pdfIn PDF document text
    • http://xpressup.com/userfiles/file/45770520199.pdfIn PDF document text
    • http://brodart01.com/wp-content/plugins/super-forms/uploads/php/files/b03cbt7hb7ds417ubfsghcr6ll/lifazadativubeninizo.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://smc.org.in)MeeraRegularMeera2016SMC7.0.0+20171102HussainIn PDF document text
    • http://smc.org.inhttp://smc.org.inIn PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • https://gitlab.com/smc/meera/blob/master/COPYINGIn PDF document text
    • http://www.gnu.org/licenses/lgpl.htmlRegularDanhHongIn PDF document text
    • http://www.geocities.com/dnhhngIn PDF document text
    • http://sinhala.sourceforge.net/In PDF document text
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITSIn PDF document text
    • http://www.gnu.org/licenses/gpl-2.0.htmlIn PDF document text

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d8de.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD8DE 7916 bytes
SHA-256: 2e595141cfc5a730015d867094056734cd151f5b215480bba884d522f17c5808
font_01_sfnt_off0000ed3e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xED3E 6484 bytes
SHA-256: 1e87b7a3c04023d83bb783ac0da7f6e3ab9d38522fd237c691ec8c5711216dd6
font_02_sfnt_off000103a2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x103A2 4156 bytes
SHA-256: 5bcf7f318894cd8667f709bf970fa8c582a8027402ea75fdf14ac0e15260a4d2
font_03_sfnt_off000111cc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x111CC 2656 bytes
SHA-256: ff8289fcab20b7b81f5dc7c47458689637225d7099c48932a46d6898d6123f6c
font_04_sfnt_off00011cd1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11CD1 4140 bytes
SHA-256: 2a2f73c0ee504ae8509221dab9a50e72e6c400a18e3952d3eee660ba18a0c3b1
font_05_sfnt_off000129ee.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x129EE 3048 bytes
SHA-256: b5c6b6e0c9ada0bf1c6b02372d38a6194b0fc304f51b15768a03b7bd417def48
font_06_sfnt_off000135f7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x135F7 4544 bytes
SHA-256: ff18c81e36cb9b15efdbce47b580caf324ee17e344593362339bc7644b00bcc1
font_07_sfnt_off000143fd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x143FD 2328 bytes
SHA-256: 18b250f24057ce91e4a59b25c1eec79fa8b4d7e2cb9f6c0de02c7e032a072fd4
font_08_sfnt_off00014eb5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14EB5 2604 bytes
SHA-256: 5fd53e2058c4f5d98b70161d670f1e42036942552fef68ac845a5e47e2d7f715
font_09_sfnt_off000159d9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x159D9 2108 bytes
SHA-256: 5fc9e2cd4e7ad04544edda2023dd698132b65daf167a61e09de9fd8de66d8b52
font_10_sfnt_off00016378.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16378 3840 bytes
SHA-256: 5b8e8035f8940535bfb5f3d78de7d5c45dbc51c905faa5d9788b8fc152e96872

Open this report in the interactive analyzer, or submit your own file for analysis.