Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b518754447de791…

MALICIOUS

PDF

102.7 KB Created: 2021-06-27 09:37:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: f0c65868c616d916d239d6ea506d50f3 SHA-1: 2ba2b667495ace9e1de09981f8fb78aab5e5add0 SHA-256: 4b518754447de7917c85f593da694355e0a5dc35111be620d2266e6d4e9f53b0
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier. It functions as a link farm, containing numerous URLs that point to other PDFs hosted on compromised WordPress sites or disposable hosting. The embedded URLs, such as 'https://medvor.ru/uplcv?utm_term=nightcore+i+need+your+love+mp3+download+320kbps', suggest an attempt to lure users to potentially malicious content. The presence of multiple compromised CMS upload links indicates a distribution network for further malicious payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9297

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://medvor.ru/uplcv?utm_term=nightcore+i+need+your+love+mp3+download+320kbps
    • https://www.alpha-dynamics.gr/wp-content/plugins/formcraft/file-upload/server/content/files/16080c379cc11f---fevemofifuz.pdf
    • https://teplitsyoptom.ru/wp-content/plugins/super-forms/uploads/php/files/26722c463301abecdc9585906192e06c/32619437645.pdf
    • https://massagetheory.ca/wp-content/plugins/super-forms/uploads/php/files/460874ff12d5e9406f0afd28117b50c3/78151467781.pdf
    • https://scriptdd.com/_file/file/3107327657.pdf
    • http://adance0112.com/upfile/editor/file/bowunurozixasapigenise.pdf
    • http://baovephuongtroi.com/vietkiendo/upload/file/rakokup.pdf
    • https://pfgmm.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160d7f5ff01465---tovekelurorituz.pdf
    • https://refundsrefunds.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606cdbd45ce36---suwodulubosutamutixito.pdf
    • https://steammining.com/userfiles/file/rabutepowojatuxafaze.pdf
    • http://www.cheapmotorcycleinsurancepa.com/wp-content/plugins/super-forms/uploads/php/files/rh57o8f7l5t58op14vd25agvo2/gunisuxudavobudadanopi.pdf
    • http://jshtextile.com/UserFiles/file///pakatupomimonobopedemop.pdf
    • http://sanitaerprofi.ch/fckeditor/editor/images/file/19992844648.pdf
    • http://www.zywawiara.pl/pliki/49199227183.pdf
    • https://thehamptonsbloomington.com/wp-content/plugins/formcraft/file-upload/server/content/files/160805398defdc---41972780878.pdf
    • https://sevsport.info/wp-content/plugins/super-forms/uploads/php/files/50e75d9d832204067e2d4ed89629dad3/pufogevajivefuwo.pdf
    • https://perfecthospital.org/FCKeditor/file/guwozawo.pdf
    • https://www.vbclighting.com/wp-content/plugins/super-forms/uploads/php/files/ae79318e50fc598bdd650a33f310d944/22995669726.pdf
    • https://staffxrecruitment.com/wp-content/plugins/super-forms/uploads/php/files/2a1fc34642ac1bf6e4ad85f768909d59/99963933666.pdf
    • http://lookupagency.es/wp-content/plugins/formcraft/file-upload/server/content/files/160763e141739a---kexuwijuvivito.pdf
    • http://cbelmira.com/wp-content/plugins/super-forms/uploads/php/files/kmon6tjcappta5g26ichfhl163/zifokebumefofexodefawix.pdf
    • https://oneremote.ru/wp-content/plugins/super-forms/uploads/php/files/715e3e986754ce722c9877e2f0a5e131/73437978671.pdf
    • http://ndt-tl.ru/upload/file/20334086523.pdf
    • https://www.d-table.com/wp-content/plugins/super-forms/uploads/php/files/9139d93849ab11eeb51d8d33b91ec09f/60067893492.pdf
    • https://sunwayhk.com/louis/STARKGROUP/ckfinder/userfiles/files/67198959359.pdf
    • http://okwmd.com/upload/fckeditor/file/kukivamazibobo.pdf
    • https://bokseinstituttet.dk/wp-content/plugins/formcraft/file-upload/server/content/files/160bcf966f11e1---benokopidebomanuwapo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb70.bin
0da5ea8983dff21d4fc7f690e264723963cd5b6ac9c6f0e7d53726e2b10cc348		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB70 28964 bytes
font_01_sfnt_off00012ed6.bin
635dadd559b6802d20f917c1d978be88f9f054c206fb3b9ddf53052f8fc3ae95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12ED6 11948 bytes
font_02_sfnt_off00014b14.bin
c30cabaf7992150ce748d1780854be52e38310f98401ae03c76e6a6ef5b090cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14B14 1804 bytes
font_03_sfnt_off00015389.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15389 16792 bytes
font_04_sfnt_off00016b9a.bin
7082d672b7f62c15550cc90f6720d5dbc0e4a04eb75b290bbb550f7dc2b4f234		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16B9A 18876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.