Malicious PDF — malware analysis report

Static analysis result for SHA-256 5050ba524ccc738b…

MALICIOUS

PDF

87.3 KB Created: 2021-07-07 07:01:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: 64138ca055666b52c105698f8bc28739 SHA-1: f082ed72ebecb0676401874ee040f3d34c8ffe44 SHA-256: 5050ba524ccc738bd5967390c19c325dba10a9b5ba5033db6f38342a14e97f0f
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm designed to redirect users to various compromised WordPress sites. These sites host further PDF files, suggesting a multi-stage redirection or download process. The presence of numerous links on disposable hosting and compromised CMS upload locations indicates a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier clean score 0.2141

Heuristics 4

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://smilepath.com.au/wp-content/plugins/super-forms/uploads/php/files/94aee1e4f1514543d9b40959a0a46610/70466241625.pdf In PDF document text
    • https://ontime-taxi.kg/wp-content/plugins/super-forms/uploads/php/files/0a56bc051d62b92b25e8808ee9060ae0/migapexowupapagemutelixub.pdfIn PDF document text
    • https://criteriacambio.com.br/wp-content/plugins/super-forms/uploads/php/files/cssta4valc6clqeis5ogm5ftvk/rijukumulovugarako.pdfIn PDF document text
    • https://www.aserspa.net/wp-content/plugins/super-forms/uploads/php/files/54c3a6vfmvg1j1afrta68p5rhb/zikomegasaj.pdfIn PDF document text
    • http://opalsolar.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16083da6f11b6e---15383688196.pdfIn PDF document text
    • http://grandchainfamilyfoundation.com/clients/85333/File/jirorufebuluxipexovewal.pdfIn PDF document text
    • https://cullinanconstruction.com/wp-content/plugins/super-forms/uploads/php/files/6khesk69j24u69dordpfgb6kmm/ziwok.pdfIn PDF document text
    • http://www.bestlifepolicy.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160c1253e0becc---xagukopil.pdfIn PDF document text
    • https://hmv.ir/wp-content/plugins/formcraft/file-upload/server/content/files/160b12e9a3a400---kofawumixekibusulelawowam.pdfIn PDF document text
    • http://marcth.pl/media/fck/file/seteguxuxabub.pdfIn PDF document text
    • http://abwvictory.com/uploads/files/xogirivuxedanomasi.pdfIn PDF document text
    • https://sevsport.info/wp-content/plugins/super-forms/uploads/php/files/a5c07e25ae786b577d709455ba9d9b34/33484046754.pdfIn PDF document text
    • http://yuhenganquan.com/userfiles/file/20210705150034_942796978.pdfIn PDF document text
    • http://cottoneauto.it/userfiles/files/5693834093.pdfIn PDF document text
    • https://teenvolunteerdallas.org/wp-content/plugins/super-forms/uploads/php/files/5f4ff681bdf4b6bcac53e44a2a15a126/31275196284.pdfIn PDF document text
    • http://project-lovcen.me/userfiles/file/gutuzutofese.pdfIn PDF document text
    • https://inlandautorepairmurrietaca.com/wp-content/plugins/super-forms/uploads/php/files/eae751a9b369c3f3ce2bac76be4bef92/nidagabumavinidivev.pdfIn PDF document text
    • https://gbeequestriansurfaces.com/wp-content/plugins/super-forms/uploads/php/files/nojg7j0gs84ocfcl4dg2kfbvnc/46708170839.pdfIn PDF document text
    • https://flexrocksrollovers.com/wp-content/plugins/super-forms/uploads/php/files/jp97d7r7dnon734mn6i1t17ef5/tagudirorojatu.pdfIn PDF document text
    • http://gapoom.com/upload/fckeditor/file/53242060157.pdfIn PDF document text
    • http://asfus.net/virgsurv/userfiles/file/48903373725.pdfIn PDF document text
    • http://mountmedpharmacy.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160bf1618df6ed---sezepev.pdfIn PDF document text
    • http://schroniskoorzechowce.pl/ckfinder/userfiles/files/53524549865.pdfIn PDF document text
    • https://alkhairi.co.uk/wp-content/plugins/super-forms/uploads/php/files/2d842e564ed784645133080cc4ac3f34/pepiwuwunokejozaluxefamu.pdfIn PDF document text
    • http://luingpyrex.cz/foto/Image/file/varotememivunav.pdfIn PDF document text
    • https://pabausa.org/wp-content/plugins/formcraft/file-upload/server/content/files/160b55ee19d9fa---53500134098.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/Om9ozkHLxGw/uplcv?utm_term=one+day+more+musicPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010667.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10667 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off00011e7e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11E7E 10624 bytes
SHA-256: 205c0580aee5e0afda06b7e47719f8ed8dcb7088b810c81a320fddd65823e837
font_02_sfnt_off000136d0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x136D0 16804 bytes
SHA-256: d806700ce850c17a45e570401243c895a1c30f1af5f27cdeca9bda29f88cee81