Malicious PDF — malware analysis report

Static analysis result for SHA-256 f5774d0743354e95…

MALICIOUS

PDF

83.1 KB Created: 2021-06-11 16:34:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 23fb9adeb5059ee75bd5e42cd99e75f5 SHA-1: ce6159f16129471467ace9f1142420ca3b0c5393 SHA-256: f5774d0743354e95a7a1f5012e29f327c03f5f70687dd8897bd2daf8eef9ada9
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains multiple links to external websites, many of which are hosted on compromised WordPress sites. The primary URL, "https://laborke.ru/uplcv?utm_term=strike+force+heroes+3+cheats", suggests a lure related to game cheats, likely to redirect users to malicious content or phishing pages. The ClamAV detection and ML classifier strongly indicate malicious intent, consistent with a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7832

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://laborke.ru/uplcv?utm_term=strike+force+heroes+3+cheats
    • https://jjmassociates.com/wp-content/plugins/super-forms/uploads/php/files/09ac2b6441ab5951850ed1d3a49bd77b/tofabidovekuge.pdf
    • http://yatros.ro/wp-content/plugins/formcraft/file-upload/server/content/files/16093459dad39e---puwurozowidazi.pdf
    • https://olgapopovaphoto.com/wp-content/plugins/super-forms/uploads/php/files/73fe7232ff0285f692884801c649ea5e/wavirasoliriruvota.pdf
    • https://premiumvipbusiness.com/wp-content/plugins/super-forms/uploads/php/files/aeb003ecc86fa12672113460ce85fb20/8108069491.pdf
    • http://www.kzhep.in.ua/wp-content/plugins/super-forms/uploads/php/files/a9kbi8nr4kgbhe84verdph5si0/75649932772.pdf
    • http://www.airportlimofortlauderdale.net/wp-content/plugins/formcraft/file-upload/server/content/files/16073650753e6f---20857521117.pdf
    • http://freemansphotography.com/wp-content/plugins/formcraft/file-upload/server/content/files/16071d9126abf0---94713499711.pdf
    • http://www.immiflex.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e07fff0bdb---womipebewagidazizipukiw.pdf
    • http://allaboutdowney.com/userimages/13613964691.pdf
    • http://bestbuyfromindia.com/userfiles/file/davekujogiritomogapufow.pdf
    • http://slp72.com/clients/7/7b/7b902bee17765b19ebdde6030f24742d/File/tuwegejewime.pdf
    • https://freedomhypnosisnyc.com/wp-content/plugins/super-forms/uploads/php/files/d9116bd890581de0d4d3e23ced698a16/50326189018.pdf
    • https://ventana-sur.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607695c2cd9c6.pdf
    • https://www.hagensmarketing.com/wp-content/plugins/formcraft/file-upload/server/content/files/160744199f1dc5---rodubu.pdf
    • http://wksystems.net/HotelEstimator/userfiles/file/lepukijaba.pdf
    • http://www.sg-callenberg.de/wp-content/plugins/formcraft/file-upload/server/content/files/1609b435c464bb---sufojejivefudule.pdf
    • http://suportti.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b54f92951fb---68225501305.pdf
    • https://www.fmworks.com.tr/wp-content/plugins/super-forms/uploads/php/files/4sl2u0q5fuaftcl4i7fsq2d8c3/subuvoxunezibexurogejup.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001122f.bin
27199e18ee237fbb2d7ab61c4c7bd02aa8215031166376c5267b8a032845d0d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1122F 5268 bytes
font_01_sfnt_off0001241a.bin
647385b41847728652810c14f00be6173ccaf88fcc695d82319cb649f8a5ec46		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1241A 13824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.