Malicious PDF — malware analysis report

Static analysis result for SHA-256 36094b430d9bc1b9…

MALICIOUS

PDF

57.0 KB Created: 2021-05-30 14:06:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: 4901cc9033dd4d74cedde2cda8eee2ab SHA-1: b92c1d7c1227e700dc7b02f2385b186e37afc132 SHA-256: 36094b430d9bc1b96807cd8306ccfa3ad02d7fa2d8d06d24ad6a4b5a5ff03f0a
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous links to external websites, many of which are hosted on compromised CMS platforms or appear to be part of a link farm. The document body, though heavily obfuscated, suggests a lure related to 'motor vehicle commission address change history report' to entice users to click on these links. The ML classifier strongly indicates malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9621

Heuristics 4

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://hum-lucknow.org/test/fckeditor/file/23024821263.pdf In PDF document text
    • https://forex-robo.org/wp-content/plugins/super-forms/uploads/php/files/1bb4cec6511326c63c833964729bfd0f/89578195294.pdfIn PDF document text
    • https://www.onestopnaturalstore.ca/wp-content/plugins/super-forms/uploads/php/files/c7epbh790rfq8tjhjj92hsjigr/jugekama.pdfIn PDF document text
    • http://bertoniamministrazione.it/bertoni/public/file/13455250614.pdfIn PDF document text
    • http://www.loicadesacavem.pt/wp-content/plugins/formcraft/file-upload/server/content/files/16087b3b78ef37---datadizaradarixater.pdfIn PDF document text
    • http://vds-construct.pl/userfiles/file/49336732159.pdfIn PDF document text
    • http://metzpaintings.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a9e23ba33eb---devunuwejebunivibovek.pdfIn PDF document text
    • http://mountmedpharmacy.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1609e44a11055e---romitomonopamugem.pdfIn PDF document text
    • https://bokseinstituttet.dk/wp-content/plugins/formcraft/file-upload/server/content/files/16093a704d35d2---dexogobulatamipe.pdfIn PDF document text
    • https://oneremote.ru/wp-content/plugins/super-forms/uploads/php/files/af1bcfff4f00b1264c58e8d2aa616365/wememusotojolasixepob.pdfIn PDF document text
    • https://voicelux.ru/wp-content/plugins/super-forms/uploads/php/files/06e0ed72f914600d2924c1b6e5cef68c/tubesoditipetafebovugut.pdfIn PDF document text
    • https://kalatranslation.co.uk/wp-content/plugins/super-forms/uploads/php/files/n8f3kvd0m156j4vvs65q8ehpak/41686391734.pdfIn PDF document text
    • https://kfz-gutachter-oliver-schiller.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607aa8265ebff---8113302812.pdfIn PDF document text
    • http://www.timtransportes.com/home/wp-content/plugins/formcraft/file-upload/server/content/files/1609abca19b550---rifubidegotozedek.pdfIn PDF document text
    • https://thewaves.net/wp-content/plugins/super-forms/uploads/php/files/dco0nt3ljg3vt1d7mv8rad7svb/rukokeburasofu.pdfIn PDF document text
    • http://www.allatpatikapecs.hu/images/file/25838584929.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/zMnd8XtcwSM/uplcv?utm_term=nj+motor+vehicle+commission+address+change+history+reportPDF link annotation
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cf76.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCF76 5692 bytes
SHA-256: ed0f3936cdefc4438c9aa3fe4ebcee033c8a463c344870bdc4c728d59dea94a9