Malicious PDF — malware analysis report

Static analysis result for SHA-256 f8f4d2d642f6cff5…

MALICIOUS

PDF

62.3 KB Created: 2021-08-17 19:46:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: 548aa329d2888528ba47a32b32b03fe2 SHA-1: 87ffda18a56214ee35f8383e06b028b86f8b5abd SHA-256: f8f4d2d642f6cff552b871d4e3842c3ea632a8119386ead53c21808ad3a04715
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links pointing to websites hosted on compromised CMS platforms, indicating a link farm designed to distribute malicious content or phish users. ClamAV detection as 'Pdf.Phishing.Trojan' further supports its malicious nature. The ML classifier also flagged this PDF with a high probability of being malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7797

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://tlpnw.com/wp-content/plugins/super-forms/uploads/php/files/a8b9555e05278696ae214ff0f6a2f756/2699803016.pdf In PDF document text
    • http://adamlegal.com/userfiles/file/duguvidexerinekuzisenive.pdfIn PDF document text
    • https://daks-96.com/f/uploads/files/54797948640.pdfIn PDF document text
    • http://www.fullertherapy.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a4fe162f492---39602005132.pdfIn PDF document text
    • https://moma-restaurant.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a57b9725885---90837975310.pdfIn PDF document text
    • http://botosani.ro/img/uploads/file/61956658727.pdfIn PDF document text
    • http://navrattan.co/userfiles/file/13436862944.pdfIn PDF document text
    • http://ahkkpcm.org/userfiles/19687053300.pdfIn PDF document text
    • http://www.greenbriarpropmgmt.com/wp-content/plugins/super-forms/uploads/php/files/3ce010bdbc13348c963b5cb2817b40c7/86064946012.pdfIn PDF document text
    • http://le-lemniscus-incandescent.fr/ckeditor/upload/files/jawolodavimofuru.pdfIn PDF document text
    • https://jdbailbonds.com/wp-content/plugins/super-forms/uploads/php/files/200a78e7499c1c22f16c0756741839cd/naronagezugosa.pdfIn PDF document text
    • http://wsp.pl/userfiles/file/42157628694.pdfIn PDF document text
    • https://adbadog.com/wp-content/plugins/super-forms/uploads/php/files/14ed8f562a19eeecc9c32058b9f39111/vawizarifupesajoter.pdfIn PDF document text
    • http://kaithompson.com/userfiles/file/lotuxejo.pdfIn PDF document text
    • http://a-range.ru/wp-content/plugins/formcraft/file-upload/server/content/files/16119f6ae4c028---zulas.pdfIn PDF document text
    • https://www.inkfactory.pk/wp-content/plugins/formcraft/file-upload/server/content/files/16077bae7f3d6d---65382628288.pdfIn PDF document text
    • http://tubietelbar.hu/uploadfile/69751729516.pdfIn PDF document text
    • https://www.brightfieldbusinesshub.co.uk/wp-content/plugins/super-forms/uploads/php/files/s1flslkhl8i4lfnhqu664kjg6g/rowijizepimi.pdfIn PDF document text
    • https://www.tai.gr/wp-content/plugins/formcraft/file-upload/server/content/files/160df36184a9d8---43402504139.pdfIn PDF document text
    • https://cvenhancer.com/wp-content/plugins/super-forms/uploads/php/files/1a8423040c3e83b8b573b6c859766661/88864813954.pdfIn PDF document text
    • https://iva-vietnam.com/userfiles/file/zisinemadav.pdfIn PDF document text
    • http://www.marcelasemper.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607046b640a11---56834701119.pdfIn PDF document text
    • http://drentmedischadvies.nl/uploads/files/32526817457.pdfIn PDF document text
    • https://grahampropertytax.com/wp-content/plugins/super-forms/uploads/php/files/1ea55350309e04eb6fc215804c19853b/39161202352.pdfIn PDF document text
    • https://www.travelticket.com.au/wp-content/plugins/super-forms/uploads/php/files/d1cmu8l9up932gcolpokell5nj/15488975772.pdfIn PDF document text
    • http://nowyhotelik.pl/userfiles/file/vinavibitof.pdfIn PDF document text
    • http://www.adanakursmerkezi.com/wp-content/plugins/formcraft/file-upload/server/content/files/16086eb64e24d2---xesozisekunedojovefofuj.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/YTWXjIUwRh0/uplcv?utm_term=why+doesn%27t+the+volume+work+on+my+remotePDF link annotation

Open this report in the interactive analyzer, or submit your own file for analysis.