Malicious PDF — malware analysis report

Static analysis result for SHA-256 26fd455f33bd4ac3…

MALICIOUS

PDF

74.8 KB Created: 2021-09-02 03:49:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: 790a12bcf719ad1c78d8439c2f9c9738 SHA-1: e9292dc69f490d9fa69ef7cd1c51379899960373 SHA-256: 26fd455f33bd4ac3553c5517cfd664ad8c131f54ec1078e4c28d3332f2df200b
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains a large number of external URIs, many of which point to compromised websites or disposable domains. This behavior is indicative of a link farm designed to redirect users to potentially malicious content. The heuristics suggest the document is a link farm on disposable hosting, with links pointing to compromised CMS upload storage.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4746

Heuristics 4

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/uplcv?utm_term=cleft+lip+and+palate+definition PDF link annotation
    • http://americansemitruckparts.com/d/files/42481428771.pdfIn PDF document text
    • http://fernandopelosini.it/userfiles/files/77848997541.pdfIn PDF document text
    • http://ilovemynewstemcells.com/clients/865932/File/26747976734.pdfIn PDF document text
    • http://iqlacpro.vn/emotive/upload/files/pikulejovunukokiperatubeb.pdfIn PDF document text
    • https://www.mercedesbenzofaustinservice.com/wp-content/plugins/formcraft/file-upload/server/content/files/160704e13342fb---88562563829.pdfIn PDF document text
    • https://spaslask.pl/wp-content/plugins/super-forms/uploads/php/files/j9e2hts8h21cc3cgriefpiuevj/22446879713.pdfIn PDF document text
    • https://mgs-on-track.com/uploads/misc/files/fametizowemulirepeladir.pdfIn PDF document text
    • http://sinoorchids.com/image/file/14488772339.pdfIn PDF document text
    • http://flexa.cz/docs/file/98804147746.pdfIn PDF document text
    • https://inchiriereelicoptere.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160af77a97e105---vatasomabefarugid.pdfIn PDF document text
    • http://aliancegroup.su/wp-content/plugins/formcraft/file-upload/server/content/files/160f97a8f6bb99---nosoleduramanexuru.pdfIn PDF document text
    • https://alfa-pechati.ru/wp-content/plugins/super-forms/uploads/php/files/8ddcf659f25059a3dc51372abb8828f7/18282287576.pdfIn PDF document text
    • https://clubsecurite.fr/webroot/upload/files/benax.pdfIn PDF document text
    • https://gift-edu.ru/wp-content/plugins/super-forms/uploads/php/files/d81a9f7b9cad6039b524ff4446484c15/6556149139.pdfIn PDF document text
    • http://tbm-mova.by/images_from_html_editor/file/dozagevatawanip.pdfIn PDF document text
    • https://indacphuc.com/wp-content/plugins/super-forms/uploads/php/files/pdhsd0tlor5tv1eaps84do5qll/69912099593.pdfIn PDF document text
    • http://erbilsunhotel.com/wp-content/plugins/super-forms/uploads/php/files/u8beab99821rl6c365pbmunha3/bitepibenefibuwob.pdfIn PDF document text
    • https://transcendenceit.com/wp-content/plugins/super-forms/uploads/php/files/5db04763dcad686f6cfa0858e4996cf2/nutimutosizolenomitirozed.pdfIn PDF document text
    • http://savoie-outils-coupants.com/ckfinder/userfiles/files/6771896174.pdfIn PDF document text
    • http://yuseigachi.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160d248d4e1403---lafamuwivovapuf.pdfIn PDF document text
    • https://b2cexpressdemo.com/userfiles/file/2325774716.pdfIn PDF document text
    • http://www.marsagri.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c59dadd3174---97165717015.pdfIn PDF document text
    • http://sahrugs.com/userfiles/file/zomezoxosemipiruv.pdfIn PDF document text
    • https://makemycake.gr/wp-content/plugins/super-forms/uploads/php/files/tr7gjkkj5ujn35ajd1727r8cke/8725535971.pdfIn PDF document text
    • https://finestblogger.de/wp-content/plugins/super-forms/uploads/php/files/f00klpbulo1kn493aqckrf241c/60155333063.pdfIn PDF document text
    • https://youkuvpn.com/upload/files/11733012557.pdfIn PDF document text
    • https://koltoztetes-szallitas-lomtalanitas.excore.hu/ckfinder/userfiles/files/refukujuk.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011315.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11315 10252 bytes
SHA-256: 6a594283ab5efa5ebcdf9ff0c64ee37129e1e0d99109c0cf189890de2a741bba