Malicious PDF — malware analysis report

Static analysis result for SHA-256 27a5dbd831b1941e…

MALICIOUS

PDF

64.0 KB Created: 2021-09-24 14:48:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-25
MD5: 06507be5cea479ff89209fcf9516b065 SHA-1: 3dc36d07058d2fe48637b2ce92ea01fe57d80e6e SHA-256: 27a5dbd831b1941efe350c5fb42e1a0ecfa900efa9b5f52dbbcc589fef0c0e39
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs, many of which point to compromised WordPress sites or disposable hosting. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates this is a link farm, likely used for SEO manipulation or to distribute malicious content. The ML classifier also flagged the PDF as malicious, supporting this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7361

Heuristics 4

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://churchliferesources.org/wp-content/plugins/formcraft/file-upload/server/content/files/16130cc8fbf04f---4289947357.pdf In PDF document text
    • http://falerisztika.hu/tmp/midirotavig.pdfIn PDF document text
    • http://heilpraxis-pankow.de/wp-content/plugins/formcraft/file-upload/server/content/files/16131c0ae0b27b---ditela.pdfIn PDF document text
    • http://alltechsro.cz/files/fabedeperiruzimikefew.pdfIn PDF document text
    • https://artistaone.co/userfiles/files/52375782753.pdfIn PDF document text
    • http://campingwithconvenience.com/files/files/30155233395.pdfIn PDF document text
    • http://karaokejdi.com/ckfinder/core/connector/php/upload/files/radevenomox.pdfIn PDF document text
    • http://brukbet.com/user_images/file/denomopexujaxa.pdfIn PDF document text
    • http://xn--80adpfaaeictf0c6c7i.xn--p1ai/public/file/mipepepi.pdfIn PDF document text
    • http://abwmarlboropike.com/uploads/files/71899539367.pdfIn PDF document text
    • http://yizhu580.com/ckfinder/userfiles/files/fogoporiwogowipi.pdfIn PDF document text
    • http://lsphc.com/userfiles/file///54298705931.pdfIn PDF document text
    • http://ogcdc.org/uploads/ck_upload/files/fagupizadiri.pdfIn PDF document text
    • http://chornakorn-packing.com/ckfinder/userfiles/files/38957082907.pdfIn PDF document text
    • http://kronikarp.pl/ckfinder/userfiles/files/pakiginubimisugatovowe.pdfIn PDF document text
    • https://sofanet.ro/ckfinder/userfiles/files/gagujadoruvogibumepudi.pdfIn PDF document text
    • http://vishwkarmaenterprises.com/webroot/img/userfiles/files/bifudubinuvuxedefenibo.pdfIn PDF document text
    • http://alothongtin.com/upload/FCK/file/87022294991.pdfIn PDF document text
    • http://sakra.sk/storage/file/webul.pdfIn PDF document text
    • http://purofirstli.net/userfiles/file/1020058041.pdfIn PDF document text
    • http://midospa.com/upload/files/21005612643.pdfIn PDF document text
    • https://clubsecurite.fr/webroot/upload/files/rizijuzevojasinogumuru.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/16138138e4ead7---kabinerofagajufotikapiv.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/cv9VXjIrmdE/uplcv?utm_term=8+ball+pool+downloadingPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bf7a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBF7A 10404 bytes
SHA-256: 319b70230da9b1015f6a7e69f2c6da8e71ede2f7ef159d925ebba246498c8069
font_01_sfnt_off0000d6a7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD6A7 18136 bytes
SHA-256: 64a23ab3833fd788dde364c1f2a7089ec2d344d3962c3b10e35247055025df7c

Open this report in the interactive analyzer, or submit your own file for analysis.