Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb7eaefecc7730a3…

MALICIOUS

PDF

58.0 KB Created: 2021-09-02 11:27:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 65fdecfa5a0544c35cd331dce1be9ce6 SHA-1: c8982914796b144bd1167ad835e089c5205a9789 SHA-256: fb7eaefecc7730a3bfbb7dceaf8534ec089e75b448b0d71257399c315a1bc45d
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and numerous external URIs, many of which point to compromised CMS uploads or disposable hosting, indicating a link farm designed to redirect users. The ML classifier and ClamAV detection strongly suggest malicious intent, likely related to phishing or malware distribution via these links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8696

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crysiq.ru/uplcv?utm_term=cursive+writing+worksheets+for+grade+6
    • http://www.alrafeef.com/faisaliya/js/ckfinder/userfiles/files/89564386094.pdf
    • http://www.enjoyvaltellina.it/admin/ckfinder/userfiles/files/26157476037.pdf
    • http://ophtalmic-overnight.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1606f047340c7f---vuwedabosemiragisu.pdf
    • https://aymexco.ro/ckfinder/userfiles/files/pefuxuwe.pdf
    • https://championsforchildren.org/wp-content/plugins/super-forms/uploads/php/files/a5ecd2ec2a01bf0e81cde0d95b11b55c/raxisuxudit.pdf
    • http://www.uc-kushiro.net/images/library//File/38208028073.pdf
    • https://clinicamanila.com/ckfinder/userfiles/files/46769224092.pdf
    • http://hfnhsw.com/upload/files/xikok.pdf
    • https://binhruamuinanobac.com/wp-content/plugins/super-forms/uploads/php/files/i4q05k32am5tsl25vvadhoftlk/38121616459.pdf
    • https://too.kg/wp-content/plugins/super-forms/uploads/php/files/b7325c4d96eb738e807ac29ef955e7a0/22511531763.pdf
    • https://kalyna.ua/sites/default/files/userfiles/file/rumizipej.pdf
    • https://maydongy.com/wp-content/plugins/super-forms/uploads/php/files/eelvvtb5g2t65bed54pfr6u7m0/14808204422.pdf
    • http://www.mkkdigital.pt/wp-content/plugins/formcraft/file-upload/server/content/files/160a04d0e62e55---19246132490.pdf
    • https://yarsan.ru/wp-content/plugins/super-forms/uploads/php/files/74451faa0661c10e62bf2f85acf7cc4b/9961653432.pdf
    • http://debandhelder.nl/ckfinder/userfiles/files/koledajimo.pdf
    • https://www.davidcosz.de/wp-content/plugins/super-forms/uploads/php/files/ql1o0quljfe3i2cb1u70vb1dfi/rodewitizu.pdf
    • http://www.commandinglife.com/wp-content/plugins/formcraft/file-upload/server/content/files/160adab7bef929---tudusivuwovadelumatas.pdf
    • http://ahoba85.com/clients/2/26/26d353b61ac95a99d7df5001a3d58300/File/welavokipod.pdf
    • http://cukierniabrzezinski.pl/www/artizam/fck/file/89383785576.pdf
    • http://shepardfarm.com/clients/877021/File/44106153219.pdf
    • http://www.sana-anong.com/ckeditor/ckfinder/userfiles2/files/4491826068.pdf
    • https://stayatrosetta.com/wp-content/plugins/super-forms/uploads/php/files/9k5k3f0lvrm9c1tvkm25ism5da/45181352685.pdf
    • http://www.birapart.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608a5a9284351---lepoxijomuxelezo.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.