Malicious PDF — malware analysis report

Static analysis result for SHA-256 fc3833284bc816ab…

MALICIOUS

PDF

72.4 KB Created: 2021-09-07 07:00:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-31
MD5: 2fdd213cc89f9eb141df32954b4a085a SHA-1: 99f398b2a49aaa9ab224e76d6613c12a5c504bcc SHA-256: fc3833284bc816ab674aa016635cf4c2b094d67f1fb70d85a0711fcb5b7951da
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link farm pointing to numerous compromised WordPress upload directories and other disposable hosting sites. This behavior is indicative of a phishing or malware distribution campaign, where the links likely lead to malicious content or fake login pages. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports this assessment.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4326

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://juniorsmagazine.com/wp-content/plugins/formcraft/file-upload/server/content/files/160736b7b29963---14318769561.pdf In PDF document text
    • https://wic-net.com/userfiles/file/45853745691.pdfIn PDF document text
    • https://hightechrustremovers.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160bdb7fa597fd---pejavupetevonodiwobamupab.pdfIn PDF document text
    • https://lightspec.com/wp-content/plugins/super-forms/uploads/php/files/c70626d72c7090a69f14c240c2a99f5b/24617707978.pdfIn PDF document text
    • http://nowator-zpu.pl/userfiles/file/7378228380.pdfIn PDF document text
    • https://caravanandre.it/wp-content/plugins/super-forms/uploads/php/files/fa0cb2986e311a58a2c11e0cc29a5e1c/wuwutawigiwinu.pdfIn PDF document text
    • https://liur-krd.ru/userfiles/file/46195502440.pdfIn PDF document text
    • http://tumwebthailand.com/ckfinder/userfiles/files/xirenejeneguripesazob.pdfIn PDF document text
    • http://kino-profi.com/wp-content/plugins/super-forms/uploads/php/files/fb04dc32d6ecc63b7500626510e063f9/losutuludelibi.pdfIn PDF document text
    • http://sts-logistika.ru/wp-content/plugins/super-forms/uploads/php/files/8fef4498159b84cf16383032ea790b50/luramusudod.pdfIn PDF document text
    • https://tocken.se/anvandarbilder/258/files/jozarusafowewukizezime.pdfIn PDF document text
    • http://feuerwehrobrigheim.de/upload/files/kujopijabemasa.pdfIn PDF document text
    • https://capitaleny.com/wp-content/plugins/super-forms/uploads/php/files/c9fccf9ab0ae0b2d2b094895d30f69cb/savalixoturibe.pdfIn PDF document text
    • https://hospvetcentral.pt/site/upload/file/kavaxelar.pdfIn PDF document text
    • http://ccswcd.com/userfiles/file/pilikapamuto.pdfIn PDF document text
    • http://bomtvplus.com/data/board/file/20210514204300.pdfIn PDF document text
    • https://christembassyromford.org/wp-content/plugins/super-forms/uploads/php/files/6c509e28ea0a45421cbb2eec77ccbb91/wawuwodo.pdfIn PDF document text
    • https://soechi.com/userfiles/file/newufajumup.pdfIn PDF document text
    • https://singaporeroadshow.com/wp-content/plugins/super-forms/uploads/php/files/8cd3d67bf8826aba128e47ce72ec8c53/76216654907.pdfIn PDF document text
    • http://geology.ie/wp-content/plugins/formcraft/file-upload/server/content/files/1609867c2890d0---37943022981.pdfIn PDF document text
    • http://files.ibiza-ferien.de/file/bazeraliruzudu.pdfIn PDF document text
    • https://www.cylinder96.ru/admin/ckfinder/userfiles/files/4033548071.pdfIn PDF document text
    • http://atel-j.nl/uploads/files/xibidakiso.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/Om9ozkHLxGw/uplcv?utm_term=top+10+reversal+candlestick+patterns+pdfPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d612.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD612 10908 bytes
SHA-256: 2ede2e4b39a02eb0c9b6f683c9c1ada2179ab94369b6f0ed94ddfec2a23bef02
font_01_sfnt_off0000ef7c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEF7C 17860 bytes
SHA-256: edaea9fdebb4b5a4104f6d735ad42d679efa3bb1014c42ba3f6bd655fe8aa134

Open this report in the interactive analyzer, or submit your own file for analysis.