Malicious PDF — malware analysis report

Static analysis result for SHA-256 1379589d92f9e648…

MALICIOUS

PDF

170.7 KB Created: 2021-06-18 22:43:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c088640294815e647854643213ac494f SHA-1: 6caf39aa5d9afc114eeeec204e7b914de93e9407 SHA-256: 1379589d92f9e64801a825f889ace2f813650449baa4d984eb30dc10c8207722
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous links to external websites, many of which appear to be compromised WordPress uploads or disposable hosting, suggesting a link farm designed to redirect users to malicious content. The ML classifier strongly indicated maliciousness, and the presence of a 'download button' lure further supports a phishing or malware distribution attempt. No scripts were extracted, but the overall structure and URL analysis point to a malicious PDF designed for user redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 6

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://laborke.ru/uplcv?utm_term=tamil+old+melody+video+songs+hd+1080p
    • http://poiskvod.ru/images/file/rapolibibawivatixitafokol.pdf
    • http://lushexperiences.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087c24a0e0e5---18133798278.pdf
    • http://eltonltd.ru/sites/default/files/uploads/513625758.pdf
    • http://greece-ex.com/images/blog//file/wegedotiv.pdf
    • http://www.grundys.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160c302ef55f49---pesejimepu.pdf
    • http://kraljicabih.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607048d033999---34996280827.pdf
    • http://erictex.com/ufiles/files/poduzefofukuke.pdf
    • https://bokseinstituttet.dk/wp-content/plugins/formcraft/file-upload/server/content/files/16074cbc4dfc61---pigigebubiwazunobomom.pdf
    • http://winfielddeli.com/ckfinder/userfiles/files/vizawufekuxegupozelozutos.pdf
    • https://www.actionconstructionjax.com/wp-content/plugins/super-forms/uploads/php/files/09f77d53e8056f3c3e59e579d59b392d/zosevuzidupen.pdf
    • http://driscollandgibson.com/images/edit_images/file/71011488900.pdf
    • http://caacoding.net/wp-content/plugins/formcraft/file-upload/server/content/files/160c9f49f0aeeb---welazinavubumixugo.pdf
    • https://netiko.ge/img/Data/file/ruraboduwutogez.pdf
    • http://steakclubhn.com/campannas/file/witabefitapukaridojegeb.pdf
    • https://refundsrefunds.com/wp-content/plugins/formcraft/file-upload/server/content/files/16076ae7c7e7a0---gemixulovavikupoko.pdf
    • https://bikinibody.be/wp-content/plugins/super-forms/uploads/php/files/3vs0vbltcjl0uuou7p19at63s9/98349157340.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001f9a9.bin
1853e35dd56be4adc6b840d8585b531673b07438ad7d66dab46037297b13f907		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F9A9 4208 bytes
font_01_sfnt_off0002086e.bin
0ad5764d1fddb8feb967446dd51d77d555ae1d37552913b569fd56f96f929060		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2086E 5776 bytes
font_02_sfnt_off00021c03.bin
bfe2b76faac33c44c6394db400697882c613d3b61e15bbc63e2218b2c9f89531		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21C03 3288 bytes
font_03_sfnt_off0002283b.bin
e339940c408f5cdb25c4f398ff10adc76a2b46bcc833442b1bad440dab01e77e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2283B 4064 bytes
font_04_sfnt_off0002352a.bin
3706723174ceeca82ec18522a49a5aa76f33fa80e52061cbfd963c126c30d805		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2352A 34468 bytes
font_05_sfnt_off000286b0.bin
518caaef23ff38dffd173390deb2ebbf4fc7588f1930709da0bf1b0df588cfea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x286B0 16232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.