Malicious PDF — malware analysis report

Static analysis result for SHA-256 f55a68d12eb68f5a…

MALICIOUS

PDF

85.8 KB Created: 2021-06-25 17:44:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-07
MD5: cc343c4ef66fac45f1f20da1306d4661 SHA-1: 31781c0c5ed4bf876276fb714c40acc5671958ba SHA-256: f55a68d12eb68f5a2cc42f6040c340018614b8143858bd166f69ad735f9f2ba4
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains numerous external links, many pointing to compromised WordPress sites, suggesting a phishing or malware distribution attempt. ClamAV detection and ML classification confirm its malicious nature. The embedded links likely serve as a lure to download further malicious content or phish for credentials.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5018

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://synerhu.ru/uplcv?utm_term=how+to+earn+coins+in+pokemon+go PDF link annotation
    • https://diaspoassur.com/wp-content/plugins/super-forms/uploads/php/files/0cea6c5a1f581cb8ef92a5459bc55345/20468612889.pdfIn PDF document text
    • https://mwasafat.com/uploads/files/40657086018.pdfIn PDF document text
    • https://www.sgestrecho.es/wp-content/plugins/formcraft/file-upload/server/content/files/1608c29db2e845---2825025348.pdfIn PDF document text
    • http://gptools.net/userfiles/file/92704530196.pdfIn PDF document text
    • https://outsourcedbackoffice.co.uk/wp-content/plugins/super-forms/uploads/php/files/de275df6009e8032403a04bd32904151/zesup.pdfIn PDF document text
    • http://terapie-psi.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160cf8184552cd---mefadudiziruli.pdfIn PDF document text
    • https://arizonapoolcontractor.com/wp-content/plugins/formcraft/file-upload/server/content/files/160cb320209a0e---56315182896.pdfIn PDF document text
    • https://mymovingestimate.com/wp-content/plugins/super-forms/uploads/php/files/d6219cf77d61818648f4a15a1aa96308/47837834371.pdfIn PDF document text
    • http://alibabashipping.com/userfiles/file/badun.pdfIn PDF document text
    • http://portalcom-b2b.es/img/user///file/_0588736001624551224.pdfIn PDF document text
    • https://idfusionllc.com/wp-content/plugins/super-forms/uploads/php/files/7c39706d8cb3f388f45576423e0ae1d4/29509448700.pdfIn PDF document text
    • https://www.inkfactory.pk/wp-content/plugins/formcraft/file-upload/server/content/files/160b75253c1c46---5290939279.pdfIn PDF document text
    • https://mayurherbal.com/userfiles/file/85678604961.pdfIn PDF document text
    • http://scro.ru/pic/file/24834760627.pdfIn PDF document text
    • http://www.iamgoingto1996.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c74514c92a1---warawofovuvofawonovopula.pdfIn PDF document text
    • https://www.helpagesl.org/wp-content/plugins/formcraft/file-upload/server/content/files/16080a4e6ecea5---niresuzu.pdfIn PDF document text
    • https://gz-topstar.com/wp-content/plugins/super-forms/uploads/php/files/d79d3d84ec2bc4f78a127ba9e14d57ba/zemuratopadogegeg.pdfIn PDF document text
    • https://blackknowledge.com/wp-content/plugins/super-forms/uploads/php/files/f0b223b70628714edf857bda3a97e980/tefaxib.pdfIn PDF document text
    • http://raduzhniy.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b79f8ea338a---gitel.pdfIn PDF document text
    • https://n-v-v.dk/userfiles/file/20382593435.pdfIn PDF document text
    • https://walkandsmile.com/userfiles/file/defupa.pdfIn PDF document text
    • https://thejasmineway.net/wp-content/plugins/super-forms/uploads/php/files/9vipbfqtbg9j21akkqh37bk289/3324509685.pdfIn PDF document text
    • http://www.multigacos.com/admin/uploaded/fck/file/17017382455.pdfIn PDF document text
    • https://bettenbaehren.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607e42583e928---wiwuti.pdfIn PDF document text