Malicious PDF — malware analysis report

Static analysis result for SHA-256 fbec59156d00538e…

MALICIOUS

PDF

63.7 KB Created: 2021-09-17 09:13:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: 04307b61647ba5d3cbd4a30a8ea19880 SHA-1: 5ee0c4d4dc6ebc544891fb43c1481f04eb99cf0d SHA-256: fbec59156d00538e347577952ae9d63699739f0f8ada82df825cba0dcf1b0b15
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm with numerous URLs pointing to various domains, many of which are hosted on disposable or compromised hosting. ClamAV detection as 'Pdf.Phishing.Trojan' strongly suggests a malicious intent, likely to lure users to phishing sites or download further malware. The presence of multiple links on potentially compromised CMS uploads further supports a malicious campaign.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4869

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://manpukuorder.com/uploads/files/nivirowov.pdf In PDF document text
    • http://olympicthesportshop.in/uploads/luvilalanoti.pdfIn PDF document text
    • http://raylutickenterprises.com/userfiles/files/didefalagedejezal.pdfIn PDF document text
    • http://cbelmira.com/wp-content/plugins/super-forms/uploads/php/files/a204e5561694e125c94a086af3ef5d7b/43188259919.pdfIn PDF document text
    • http://khocabien.com/uploads/files/62930257418.pdfIn PDF document text
    • https://kermanrooz.com/img/files/bujopezafobanizofigero.pdfIn PDF document text
    • https://fivetc.vn/uploads/files/67300853216.pdfIn PDF document text
    • https://freedomtampons.com/wp-content/plugins/super-forms/uploads/php/files/7516ff823bb5c951d2452c426e054b2c/70843324503.pdfIn PDF document text
    • http://dalnoboy.org/data/filestorage/upload/files/luzetevugukikiwenanazab.pdfIn PDF document text
    • http://apartmany.cucoriedka.sk/data/files/82768055723.pdfIn PDF document text
    • https://bizdrive.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1/161377484b70e1---wopesuj.pdfIn PDF document text
    • http://gewidor-gmbh.de/uploads/files/74212436181.pdfIn PDF document text
    • http://brmxn.com/userfiles/file/20210901071716_kg0s87.pdfIn PDF document text
    • http://tidomusica.com/uploads/files/202109060246529831.pdfIn PDF document text
    • http://elektrostroy.kz/ckfinder/userfiles/files/vokoloxupozom.pdfIn PDF document text
    • https://snf.styleguides.ch/userfiles/files/bikavuj.pdfIn PDF document text
    • http://seoulgreeter.com/userData/board/file/90337785003.pdfIn PDF document text
    • http://studiorinaldibedin.eu/userfiles/files/40408801908.pdfIn PDF document text
    • http://norilsk.torbay.ru/images/uploads/file/bogomesitenora.pdfIn PDF document text
    • http://denis-lefebvre-services.com/fichiers/file/rajodagubojebe.pdfIn PDF document text
    • https://fpcofmacon.com/nbloom/fckuploads/file/wunukumubafez.pdfIn PDF document text
    • http://www.cafeinca.com/img/public/contenido/file/60332660362.pdfIn PDF document text
    • http://fillaracingacademy.cz/ckfinder/userfiles/files/gurojapuwal.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613f5086de8c4---nolituzezek.pdfIn PDF document text
    • https://shinyjewellers.com/wp-content/plugins/super-forms/uploads/php/files/qpfaic66q1u9135nb012ds0861/52699934118.pdfIn PDF document text
    • http://alacartedesign.de/userfiles/file/18041265464.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/FevRqgeaUVY/uplcv?utm_term=how+to+take+screenshot+in+note+8PDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b370.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB370 10660 bytes
SHA-256: 4b59766b9ecf1f1d40f3bcc35ec3726de8be9c894b1c442ea727dbd6ffbedb0b
font_01_sfnt_off0000cbd8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCBD8 14948 bytes
SHA-256: db34594541cd44cdfbf843d242357a35b0782908356f3361e44ad921d497e8f6

Open this report in the interactive analyzer, or submit your own file for analysis.