Malicious PDF — malware analysis report

Static analysis result for SHA-256 2bda84a7376c62b5…

MALICIOUS

PDF

74.7 KB Created: 2021-05-06 03:24:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-07
MD5: 28550c00bd49684124c0f3ee88986d76 SHA-1: 73c8e8699a186ec2f525d48187d3896a8755e01c SHA-256: 2bda84a7376c62b544315a8caede8b0b12dd56e9672c3b5024ad045a165add78
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains numerous links to external websites, many of which are hosted on compromised WordPress sites or disposable domains, suggesting a link farm designed to redirect users to malicious content. The presence of a headline about 'Dani mocanu arestat la domiciliu' indicates a lure to attract clicks. While no scripts were explicitly extracted, the heuristic firings strongly suggest the PDF's primary function is to act as a gateway to other malicious resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9083

Heuristics 4

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://inwebjor.ru/uplcv?utm_term=dani+mocanu+arestat+la+domiciliu PDF link annotation
    • http://aceonlinementors.com/userfiles/file/ramuxevogotuzepisiwimixu.pdfIn PDF document text
    • http://vibrosystem.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160932494625ef---95208368908.pdfIn PDF document text
    • http://ontheedgeofnow.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608146efd450e---60209218818.pdfIn PDF document text
    • http://jockmurray.com/wp-content/plugins/formcraft/file-upload/server/content/files/16081a5254e767---riwuro.pdfIn PDF document text
    • https://www.stamfordtaxis.com/wp-content/plugins/super-forms/uploads/php/files/5qoghklgl0noo42755u1gchig3/gakumogekivatisum.pdfIn PDF document text
    • https://africanresearchcenter.com/userfiles/file/2061370255.pdfIn PDF document text
    • http://forter.vn/hinhanh/file/72726437682.pdfIn PDF document text
    • http://www.hotel-margherita.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608f1e8ae7ff1---91251863508.pdfIn PDF document text
    • https://riverasphotovideo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160806f2cd71c6---26991583988.pdfIn PDF document text
    • https://thejinglelab.com/wp-content/plugins/super-forms/uploads/php/files/n2op60v57b48t1vj0kgqnq5mvq/lifunotajabolikazupi.pdfIn PDF document text
    • https://cutletsmeat.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607d65735f50f---24174241422.pdfIn PDF document text
    • http://www.sunarsurdurulebilir.com/wp-content/plugins/super-forms/uploads/php/files/t58dkt1h8mjshbj8eqqog8omn5/24783941443.pdfIn PDF document text
    • https://www.sussexweddingservices.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16073a0068285c---20395148938.pdfIn PDF document text
    • https://selectwifi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607128b6a4241---23247032246.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607ceeae2221b---vanezepe.pdfIn PDF document text
    • http://www.asejnrtigers.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1608137f828b90---vepaxadimanumovogutap.pdfIn PDF document text
    • https://vmkstroi.ru/wp-content/plugins/super-forms/uploads/php/files/5b87e25a8e35a460f2701c5924fa3329/97231339266.pdfIn PDF document text
    • https://chamsocmuihong.com/wp-content/plugins/super-forms/uploads/php/files/4teu41bt93ev8o8i7bh6mvh11c/liliwawozosisudufagas.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000db7d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDB7D 3344 bytes
SHA-256: 967c02d6c3bf2d4e0df706ef8c02081b4d4db96b9758116fb8100aa7bad56d95
font_01_sfnt_off0000e6db.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE6DB 5084 bytes
SHA-256: c886b3180b58926c8b435d1799b223c464cefcc0a49609eca020cd94e2f6438b
font_02_sfnt_off0000f804.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF804 5696 bytes
SHA-256: 7db3ff4c474d18078c0c6db941261ef54bbbd89f91f16138e8aeb80eba59b881