Malicious PDF — malware analysis report

Static analysis result for SHA-256 f903fb0249722634…

MALICIOUS

PDF

71.2 KB Created: 2021-06-09 06:13:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-11
MD5: 8d870c7d7c908e01f2bfcbb81909bb01 SHA-1: 2609b53aefccb4e4b3887751a201af920d07ebe7 SHA-256: f903fb0249722634dac38ec81c8a1b5cb69b571c75881272cd8db18ad93b5fe4
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple links, many pointing to compromised WordPress sites, and one specifically masquerading as a Flash Player update. The ClamAV detection and ML classifier strongly indicate malicious intent, likely to redirect users to a phishing or malware download site. No scripts were extracted, but the embedded URLs and link farm heuristics suggest a phishing or credential harvesting campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8149

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://catamma.ru/uplcv?utm_term=please+update+your+flash+player PDF link annotation
    • http://kusadasidentalclinic.com/img/userfiles/files/15249334668.pdfIn PDF document text
    • http://xn--80ackbssfuieecff0e8c.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/h8vhs59s7kudvipqm73ubd7ka1/19108511285.pdfIn PDF document text
    • http://www.ellisrasbetonwerke.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1609c43409d18e---nuvafepefasib.pdfIn PDF document text
    • https://udachi.co.th/wp-content/plugins/super-forms/uploads/php/files/9fj1pr13fam2f96u182vo5b0cv/42365029031.pdfIn PDF document text
    • https://alphacleanwashing.com/wp-content/plugins/super-forms/uploads/php/files/2575cd21ceb813a92f21ec32965da296/68279845383.pdfIn PDF document text
    • https://amkboiler.com/wp-content/plugins/super-forms/uploads/php/files/i72emk6sok8e9nft3tr6dr5o18/jafujoxagelipaxuxagine.pdfIn PDF document text
    • http://thehawthornnyc.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c791c77940---21726570145.pdfIn PDF document text
    • http://braciszewska-klimek.pl/fck_files/file/jupisafe.pdfIn PDF document text
    • http://laweasy.kr/userfiles/file/masipoduwejevatokomase.pdfIn PDF document text
    • https://www.lokalesichtbarkeit.de/wp-content/plugins/super-forms/uploads/php/files/l5s0qrqibh0dthq5bad013r859/nawixexajegezekawemujita.pdfIn PDF document text
    • http://alexlunacoach.com/img/editor/file/gekonugigejajun.pdfIn PDF document text
    • https://seataclighting.com/wp-content/plugins/super-forms/uploads/php/files/203fb7b5c65fb0a8e9e1148926fd6c53/xijodoje.pdfIn PDF document text
    • http://simonhoirup.dk/userfiles/file/minibalivumuzoselodit.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed6d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xED6D 5232 bytes
SHA-256: d5c3e3603a406c5538c1cccea57eff97c5fd2cb5fd28bebc3e3eae2cfea5e807