PDF malware analysis — malicious · 328635218fc29643

MALICIOUS

PDF

84.4 KB Created: 2021-09-06 10:46:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: b7544845b5ac6f4dc946fabc03121c30 SHA-1: 8642aceabcf9a4a2806e80a73a61f9f18e4f6de9 SHA-256: 328635218fc2964370b16dc19f17d16616f3a76a740c59fefa94a140c58234eb

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded URLs, many of which are hosted on compromised websites or disposable domains, suggesting a link farm designed for SEO poisoning. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' and the presence of URLs like 'https://drafthe.ru/uplcv?utm_term=doctors+note+for+work+absence+pdf' indicate a phishing or scam attempt by directing users to potentially malicious content disguised as a doctor's note.

Machine Learning

Nyx PDF Classifier malicious score 0.9951

Heuristics 5

PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://drafthe.ru/uplcv?utm_term=doctors+note+for+work+absence+pdf
- https://ukdirectremovals.com/wp-content/plugins/super-forms/uploads/php/files/a302a7c37f5a171a4a843974d70c1aba/dumofor.pdf
- http://www.thunderesp.com/ckfinder/ckfinder.htmlfiles/wenezona.pdf
- http://icltindia.in/userfiles/file/51781216056.pdf
- https://energooptima.hu/upload/File/zedipipuxonetabiboguju.pdf
- http://chonburi33.com/userfiles/file/12068486308.pdf
- http://www.como-grup.ro/fisiere/file/merudawe.pdf
- http://splogservice.ru/content/files/vusiduzigaxilaxepo.pdf
- http://bagpack.com.np/wp-content/plugins/formcraft/file-upload/server/content/files/16075ea8ef321d---57640135757.pdf
- https://www.blondel-bois.fr/ckfinder/userfiles/files/79092429465.pdf
- http://southeastern61.com/clients/0/07/0748cf78e2268043913ae7c14e09e996/File/kasobudusimikexurazagaj.pdf
- https://admonks.ru/wp-content/plugins/super-forms/uploads/php/files/f9d26e51a1d05a0012a99b354c008bee/lilagogoput.pdf
- https://www.cibaospalaser.com/wp-content/plugins/super-forms/uploads/php/files/inpbbm05ghotm8orc2dq8kbm3p/82915839858.pdf
- https://www.sehersirin.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607708e3bed62---xikorekimodu.pdf
- http://stagelight.pl/userfiles/files/wazovosexumugamaxatebedon.pdf
- http://www.jindatunnel.com/up_files/file/dewepitinim.pdf
- https://swalaya.in/userfiles/file/41838315838.pdf
- http://cngwalk.com/fckeditor/userfiles/image/pezasewedore.pdf
- http://emilygrilltogo.com/uploads/files/sapazani.pdf
- http://paymentsbusiness.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1608c6337300fc---48474516149.pdf
- http://goldartline.ua/userfiles/file/98592358020.pdf
- https://www.mds-horizons.com/upload/files/54277370976.pdf
- http://hattrick-sports.com/wp-content/plugins/formcraft/file-upload/server/content/files/160862ee284d13---figimipakowipuwa.pdf
- https://www.alpha-dynamics.gr/wp-content/plugins/formcraft/file-upload/server/content/files/160945a660a248---33783225426.pdf
- http://mayamalay.com/clients/874202/File/35380475971.pdf
- http://okwecare.com/usr/userfiles/files/76147878008.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e4fa.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE4FA	16792 bytes
`font_01_sfnt_off0000fd11.bin` `9948bfb7c1991e1c51a2ef4568b8dd03c0a805c8f1842249d125399c22efcab3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFD11	10792 bytes
`font_02_sfnt_off000115e8.bin` `0a6c85ea56b66712d14f5c0a706b2d6376ac817324e611cdbf6ee0dcc2082a86`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x115E8	17672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.