Malicious PDF — malware analysis report

Static analysis result for SHA-256 40ee62e16e582df3…

MALICIOUS

PDF

69.3 KB Created: 2021-07-23 09:29:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-16
MD5: 96c60f4d0efb14dd669841df5b097de2 SHA-1: 0bd6d7f6035e5d9ae7640fbc230a3b1cc4a2a218 SHA-256: 40ee62e16e582df3788e5df88e949604e77ee5a407796a6a9912a5fdf1c26cf4
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF contains numerous links pointing to compromised WordPress sites and disposable hosting, indicating a link farm designed to distribute further malicious content. The ML classifier strongly flagged this PDF as malicious, supporting the conclusion that it is part of a phishing or malware distribution campaign. No scripts were extracted, but the structure and URL patterns are indicative of a downloader or redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9156

Heuristics 4

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://parfumkin.ru/files/files/79316569602.pdf In PDF document text
    • https://www.dekleinewerf.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1609e551b40058---xasegogafagu.pdfIn PDF document text
    • https://goez3.com/10005001208290177/ckfinder/userfiles/files/sipeverofuxuvofuwaz.pdfIn PDF document text
    • https://hmv.ir/wp-content/plugins/formcraft/file-upload/server/content/files/16073a0c5351dc---xibedogose.pdfIn PDF document text
    • https://atx-stroy.ru/wp-content/plugins/super-forms/uploads/php/files/c6aef1d6b3174450398f2010a5b68161/pufasibireluponat.pdfIn PDF document text
    • https://spazmedia.com/wp-content/plugins/formcraft/file-upload/server/content/files/16088e5308bb01---81640171072.pdfIn PDF document text
    • http://www.atrium-tuiles.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a3a32042a90---savegulul.pdfIn PDF document text
    • https://ballestermultiservicios.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ae108d090bc---88593890504.pdfIn PDF document text
    • https://lensprovn.com/ckfinder/userfiles/files/jarofaxurebenowesed.pdfIn PDF document text
    • http://cuiquji.net/d/files/9919301491.pdfIn PDF document text
    • http://zhouzhuank.com/v15/Upload/file/202162943515143.pdfIn PDF document text
    • https://www.andimoda.com/wp-content/plugins/super-forms/uploads/php/files/e87bad93bbe1ebb23ba7261761d065f2/40375314088.pdfIn PDF document text
    • https://kayakbranson.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c372b877b18---87266958127.pdfIn PDF document text
    • https://www.numberoneporthill.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160a06e8413f62---48977583025.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c0780d3674d---serunanoxuwobakowani.pdfIn PDF document text
    • http://xperion.hu/wp-content/plugins/super-forms/uploads/php/files/67bddd722fdb72054a30c55dc2e70038/44662027479.pdfIn PDF document text
    • https://bentzendesign.se/wp-content/plugins/formcraft/file-upload/server/content/files/160a363c023b45---23152122978.pdfIn PDF document text
    • http://aiswaryamatrimonials.com/fck_uploads/file/tojuzovetubale.pdfIn PDF document text
    • https://frontiersneurophotonics.org/wp-content/plugins/formcraft/file-upload/server/content/files/1/1608205e4038b7---pusuj.pdfIn PDF document text
    • http://slp70.com/clients/873855/File/80241945498.pdfIn PDF document text
    • http://imi.vc/upload/files/fowedebavin.pdfIn PDF document text
    • http://www.hkwebdesign.com.hk/wp-content/plugins/formcraft/file-upload/server/content/files/160a01eaa6cb89---24693152871.pdfIn PDF document text
    • https://udachi.co.th/wp-content/plugins/super-forms/uploads/php/files/jnpo2lfospkcadfsobcoeiskk5/pesawizaxolirakevuf.pdfIn PDF document text
    • https://podiummagazinenews.com/ckfinder/userfiles/files/bezomezopozixodebilaga.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/Om9ozkHLxGw/uplcv?utm_term=39+clues+the+black+circle+read+online+freePDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f87e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF87E 11148 bytes
SHA-256: 9151a0141e0d72c0a0f509f7e1be5475ae9cb66cb80c5f09c148c373cca0a2c7

Open this report in the interactive analyzer, or submit your own file for analysis.