Malicious PDF — malware analysis report

Static analysis result for SHA-256 2bcd16dcf7c7ca22…

MALICIOUS

PDF

75.5 KB Created: 2021-06-18 19:16:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-12
MD5: 356ccd85cb2d8c5746a0a54527d5be13 SHA-1: a0350e0cb024e6aa721acf91e146c5465d733af9 SHA-256: 2bcd16dcf7c7ca2240d3c06d81cae7c3a7f331cbd43d2fa99604db0aaee56d15
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links pointing to compromised CMS upload directories, suggesting it is part of a link farm designed to distribute malicious files. The ML classifier strongly indicated maliciousness. The presence of a 'download button' heuristic further supports the lure-based attack pattern. No scripts were extracted, but the overall structure and URL patterns are indicative of a downloader or redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://salon-urody-bellis.pl/images/file/258525961.pdf In PDF document text
    • http://inspirationallabels.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1607621ab71e62---16880742407.pdfIn PDF document text
    • https://www.andeanskyline.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607302995914b---16715638168.pdfIn PDF document text
    • https://airflow-skateboards.com/upload/file/80973658392.pdfIn PDF document text
    • https://agilitynd.com/wp-content/plugins/super-forms/uploads/php/files/4b2a0072d882cd3d5af62f971a9ffb84/dikijuwexadasujo.pdfIn PDF document text
    • http://witnesstherealist.com/wp-content/plugins/super-forms/uploads/php/files/8ef6dbbfb52d2820149d1db2269d2ddb/wumiposibufumoberer.pdfIn PDF document text
    • https://howardsteeves.com/wp-content/plugins/super-forms/uploads/php/files/45ea346e95288bb1fa955abf64398728/lokudixusonubegi.pdfIn PDF document text
    • http://evabody.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160b05098a6216---68491615258.pdfIn PDF document text
    • https://hartwellcook.com/wp-content/plugins/super-forms/uploads/php/files/4a542d9fbfc8ae614fd8b7c5ed06ecd7/1017428546.pdfIn PDF document text
    • http://springswellness.net/wp-content/plugins/formcraft/file-upload/server/content/files/160c145e98ae9d---fukikeworomixefapoma.pdfIn PDF document text
    • http://bagpack.com.np/wp-content/plugins/formcraft/file-upload/server/content/files/1607750aac9a5b---borixo.pdfIn PDF document text
    • https://www.euroservicemilano.it/wp-content/plugins/formcraft/file-upload/server/content/files/1606f57e02d9ab---muginexa.pdfIn PDF document text
    • https://mimpishio1bet.net/contents//files/75601584251.pdfIn PDF document text
    • http://averon.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16092744d87d13---49306616670.pdfIn PDF document text
    • https://storage-in-motion.com/wp-content/plugins/formcraft/file-upload/server/content/files/16094a39e867c9---23690261286.pdfIn PDF document text
    • http://www.belladermeestetica.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160831612769b9---95950095553.pdfIn PDF document text
    • http://metabolit-plus.ru/files/file/14774633048.pdfIn PDF document text
    • http://neodev.space/wp-content/plugins/formcraft/file-upload/server/content/files/160aabf0b1505f---27472724702.pdfIn PDF document text
    • http://smartcookieacademy.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607fffa5863b1---pebanakarujurowexi.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/DOqCt-cVA4I/uplcv?utm_term=iptv+stbemu+apkPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off000102d8.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x102D8 18700 bytes
SHA-256: 3ca8602e019ff169a075f28743b91d30c9b2b36c9fa0a5398c47f34b05250c5e
font_00_sfnt_off0000cdf2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCDF2 5036 bytes
SHA-256: 6f345c90e7aa6bc3dc6dd91664e07630f2b19fb781fcf28a179c8c74723b41af
font_01_sfnt_off0000df07.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDF07 10516 bytes
SHA-256: 13a240ce2b6b492e92957e7b58ebb43c41575cbb84a3b0320614e958410a15f0