Malicious PDF — malware analysis report

Static analysis result for SHA-256 f760aca84a8245ef…

MALICIOUS

PDF

79.4 KB Created: 2021-05-16 12:42:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 80fc6dc879d875ad11c2cc03558eaedd SHA-1: f3bf7258222b91c835965c25ddfd063034962fa9 SHA-256: f760aca84a8245ef63ec3e5f5910964eb62c44f0062a6070c2b3989be7ff3039
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous embedded URLs, several of which point to compromised WordPress sites, suggesting a phishing or malware distribution campaign. The presence of embedded JavaScript, though not fully analyzed due to obfuscation, likely contributes to the malicious functionality by directing users to these external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9585

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ketchas.ru/uplcv?utm_term=chordana+play+for+piano+android
    • http://europeanprofservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/16080e4aa4ca6b---zokonupoxuxosem.pdf
    • http://banhangcongnghe.com/upload/FCK/file/zapodebedodatuzejibaxe.pdf
    • http://www.investing-in-women.com/wp-content/plugins/formcraft/file-upload/server/content/files/160886cf97e5b5---90998499548.pdf
    • https://www.medicalart.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160a06e746aaa8---72522977045.pdf
    • https://dungcuruamui.com/wp-content/plugins/super-forms/uploads/php/files/pdekiij9j036jqkouhnnifb064/6438313303.pdf
    • https://nationalcardsolutions.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608d075e6f584---xekamalibekum.pdf
    • http://projectbudapest.hu/wp-content/plugins/formcraft/file-upload/server/content/files/1606d15d7dfa01---45543650478.pdf
    • https://visaonline-vn.com/wp-content/plugins/super-forms/uploads/php/files/1bjgkurkl0nd5u49rhihtbplor/wakatukedos.pdf
    • https://cutletsmeat.com/wp-content/plugins/formcraft/file-upload/server/content/files/16081a282ceea6---geduperixixevevemig.pdf
    • https://laneopx.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607055d76f4c8---sugunilu.pdf
    • https://bbensonmft.com/wp-content/plugins/super-forms/uploads/php/files/fd4ef17e47cc027dab44cca210787d07/tanesebidizegegut.pdf
    • https://kes-stv.ru/wp-content/plugins/super-forms/uploads/php/files/1c821e7b077438fd81a5e0343de5f67c/buputagevipeni.pdf
    • http://lifemartrealestateconnect.com/wp-content/plugins/super-forms/uploads/php/files/si7asev1he7dmo6t3a9s2v79v2/suxosukesapinafunova.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e3eb.bin
10a07fc969e6c8cf41398fcfefa625e426b29a45b33f3716d0886db1405c0d2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE3EB 2900 bytes
font_01_sfnt_off0000ee2e.bin
9460cee9581bd7bc55ffe457d998f744980af23b2cdc38f0d7b3fb99151f1afc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE2E 4668 bytes
font_02_sfnt_off0000fdfd.bin
d32871330a3d265b662be59271457bb03af37bc3a4e4b76da8fe13f913d4e813		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDFD 11304 bytes
font_03_sfnt_off000124f9.bin
66f1346a789a1b260b094ed00130362207567db1bdf14030bbf17b5b4ba904fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x124F9 16264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.