Malicious PDF — malware analysis report

Static analysis result for SHA-256 493507ec25de431a…

MALICIOUS

PDF

81.7 KB Created: 2021-05-06 12:04:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-05
MD5: f0c726c1edce0f3e5d60c2ea6ae5da16 SHA-1: e33bfbc3ff8d07a8fbc7e8e95ee56b9f9b725f05 SHA-256: 493507ec25de431a5c924f9e94760ac753178c3781e2dd855c58bd74ab9b9468
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous external URIs and is identified as a link farm, likely intended to direct users to malicious content or for SEO manipulation. The presence of compromised WordPress upload links further suggests a malicious intent to host or distribute harmful files. No scripts were extracted, but the overall structure and URL patterns are indicative of a phishing or malware distribution lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7246

Heuristics 4

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cructi.ru/uplcv?utm_term=filmywap+new+bengali+movie PDF link annotation
    • https://klingende-zeder.de/wp-content/plugins/formcraft/file-upload/server/content/files/16092a6586262f---rofifanuzodirowix.pdfIn PDF document text
    • http://www.oschouston.com/osc/wp-content/plugins/formcraft/file-upload/server/content/files/160746d723b0fb---vebukinefesafizowamo.pdfIn PDF document text
    • http://www.nuricomuvakfi.org/wp-content/plugins/super-forms/uploads/php/files/g96pkbefdgivgn83fokeemisg1/bebutodifowel.pdfIn PDF document text
    • https://www.northernillumination.com/wp-content/plugins/super-forms/uploads/php/files/9c47c9c4d524ba9053a34cef772dae7c/vulozasedamobabodakisupo.pdfIn PDF document text
    • https://nhathuydesign.com/wp-content/plugins/super-forms/uploads/php/files/fsokpho0ovgacprqqgkrld06od/nakutamaxapipamorolef.pdfIn PDF document text
    • https://vetranhtuongmamnon.vn/wp-content/plugins/super-forms/uploads/php/files/i7r0q0s3gnjckepgdb43qhd8ff/talagubivuba.pdfIn PDF document text
    • https://wavesmaroochydore.com/wp-content/plugins/super-forms/uploads/php/files/leo3encbkdfaok999v8v6ns1f0/lasununajebutivobedale.pdfIn PDF document text
    • http://acecaalcoy.com/userfiles/file/44083317273.pdfIn PDF document text
    • https://championsforchildren.org/wp-content/plugins/super-forms/uploads/php/files/da86bb457b0e28808cb4c545fdae5914/70400872384.pdfIn PDF document text
    • https://greenturtleproductions.com.au/wp-content/plugins/super-forms/uploads/php/files/1d540f9c40e422a9e0ef3421298fd107/puviloxujexonifibudiravi.pdfIn PDF document text
    • http://manufim.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/1606e7eb454644---85041580645.pdfIn PDF document text
    • https://www.hontoys.com.au/wp-content/plugins/super-forms/uploads/php/files/9drge0g9op82h1q4nsichp65qf/11616771490.pdfIn PDF document text
    • http://reicar.dk/userfiles/file/61969336211.pdfIn PDF document text
    • https://dfa-finanz.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607b4eb80dd64---xogitijiwasezovugewotovek.pdfIn PDF document text
    • https://flylights.pl/wp-content/plugins/super-forms/uploads/php/files/ncaal6p65cvvfghrcidm6r6ptn/mazifuxu.pdfIn PDF document text