Malicious PDF — malware analysis report

Static analysis result for SHA-256 2a86f7542c8b1ce2…

MALICIOUS

PDF

113.9 KB Created: 2021-06-20 01:54:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-14
MD5: 3aeca9e090fb7c29a4bcb7a5dcd3c3ca SHA-1: 7ea30341f21e62d5ba90d9ba8fedca6adfc65932 SHA-256: 2a86f7542c8b1ce28f2304d6e95ea81b5b0b23f87ef5a8a3a9513128860018f9
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous links, many pointing to compromised WordPress sites, suggesting a link farm designed to redirect users to malicious content. The document body, though heavily obfuscated, contains text related to "rank booster mobile legends 2021", indicating a lure to attract users. The presence of embedded URLs and the nature of the heuristics strongly suggest this document is part of a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier clean score 0.2101

Heuristics 4

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crysiq.ru/uplcv?utm_term=rank+booster+mobile+legends+2021 PDF link annotation
    • http://ar-intl.net/wp-content/plugins/super-forms/uploads/php/files/03gni6dnp4vs0aub7c0ivrln80/sufafobazaxubezosedik.pdfIn PDF document text
    • https://greyquotient.com/wp-content/plugins/super-forms/uploads/php/files/11e7dc9e5288dabf4e58b03b5862f4c1/93652599434.pdfIn PDF document text
    • http://plusbateria.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c8a2afc61e9---zurizerawusa.pdfIn PDF document text
    • https://adiwirawanbali.com/wp-content/plugins/super-forms/uploads/php/files/678821b2eea8b1e0562d73f3155fdcd8/20310265499.pdfIn PDF document text
    • https://www.siemers-deutschmann.de/wp-content/plugins/super-forms/uploads/php/files/ga73u12hv16499rnfdtbhe37r4/mobididagidinutoxirun.pdfIn PDF document text
    • https://sckstone.com/wp-content/plugins/super-forms/uploads/php/files/7fd7c2ef75a5376fbadba30a34acfb81/98032937824.pdfIn PDF document text
    • http://www.gcsystem.pl/wp-content/plugins/formcraft/file-upload/server/content/files/1606d8a17dce04---65569458715.pdfIn PDF document text
    • https://aashianarealty.com/file/waruvetefenavodu.pdfIn PDF document text
    • http://biosurfest.com/userfiles/files/poregatumezujofoberamam.pdfIn PDF document text
    • http://clubchic.lv/c/i/files/bimajadafelebot.pdfIn PDF document text
    • http://www.phonefixcomo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160864172c5ea0---mosarovavimus.pdfIn PDF document text
    • https://sellos-mecanicos.com/wp-content/plugins/super-forms/uploads/php/files/50ffecf064afd4fb00273d8042317283/70641452443.pdfIn PDF document text
    • http://hurtglass.pl/upload/file/majubezu.pdfIn PDF document text
    • http://www.telsercom.com/wp-content/plugins/formcraft/file-upload/server/content/files/160af8770d28f3---76474010015.pdfIn PDF document text
    • https://adbadog.com/wp-content/plugins/super-forms/uploads/php/files/2c929d43953a37f0d090b877b1fc09d1/juromokajarusevubu.pdfIn PDF document text
    • http://www.neslihanonur.com/wp-content/plugins/super-forms/uploads/php/files/9e04edb39b825ee710381086a1855c39/fevedugoremuxaluzomo.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://scripts.sil.orgIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015ac4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15AC4 4472 bytes
SHA-256: e8fb95a4dd1be4b358798c40bde7fd35badd707d305c019b8140073bd5402bbf
font_01_sfnt_off00016a78.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16A78 5684 bytes
SHA-256: 57a3fbf0253e2efd380869684dcda7da17e9416cd1b278b8e771a136a4a31c64
font_02_sfnt_off00017db4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17DB4 2092 bytes
SHA-256: 6e5de5c6bcb7fdd8c5ca0d25823a8f80e6c764803c1b732dbc9c425a5c0f8ea5
font_03_sfnt_off0001875a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1875A 13740 bytes
SHA-256: af876f6b0e75f467496927a55d2353fddb39d3c4f1b1534d740333242f4446cb
font_04_sfnt_off0001b46c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1B46C 6880 bytes
SHA-256: 94fe254bb8bafc46b6b121c0f97813a39c5fecc694cedd59b6bd38c0b4cbbc04