Malicious PDF — malware analysis report

Static analysis result for SHA-256 6a17aab1c853ac30…

MALICIOUS

PDF

86.8 KB Created: 2021-08-13 04:19:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14
MD5: 584c1b0a2cb4b4d1b22f5853d90b2f1c SHA-1: 16609320c3d8f27952c7c00a488c10728d258949 SHA-256: 6a17aab1c853ac30c8dcf31f194746e1c25f40514b9e8365a946606273abb1f1
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded URLs, many of which point to compromised WordPress sites or disposable hosting, suggesting a link farm designed for SEO manipulation or to host malicious redirects. The ML classifier strongly indicates malicious intent, and the structure points towards a phishing or malware distribution vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 5

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://archism.ru/uplcv?utm_term=arris+modem+tm822+link+light+blinking+orange PDF link annotation
    • https://www.arc-welding.co.uk/wp-content/plugins/super-forms/uploads/php/files/baskpoir1amomh5gnnmdud0k60/vebijute.pdfIn PDF document text
    • https://swimproject.eu/wp-content/plugins/super-forms/uploads/php/files/0b2379d6d9f97eeba6fa5d810652b4ed/gexawigavuwutazeg.pdfIn PDF document text
    • https://xn--80aaaglcftt5alesfkk7f.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/bbc3b7a89571eea89cabc88c3371c776/rirov.pdfIn PDF document text
    • https://kisikana.hr/userfiles/file/71923059174.pdfIn PDF document text
    • https://spherule.org/wp-content/plugins/super-forms/uploads/php/files/d595100a1c939db62e7ae5456c00b87a/vixutegakojelurikipo.pdfIn PDF document text
    • https://www.karenlovelee.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607778ed08da4---71828225739.pdfIn PDF document text
    • http://xn----otbbfbbknchz.xn--p1ai/sadm_files/fewupuludimuleba.pdfIn PDF document text
    • http://lovesenergy.com/file/97294698277.pdfIn PDF document text
    • https://sanmuabancongty.vn/images/content/files/71977035784.pdfIn PDF document text
    • http://di-tech.kr/fckeditor/userfiles/file/24905188668.pdfIn PDF document text
    • http://ecohort.com/userfiles/files/12955009281.pdfIn PDF document text
    • http://2girlstrippin.com/wp-content/plugins/formcraft/file-upload/server/content/files/16073228f93018---9697763416.pdfIn PDF document text
    • http://www.bufolari.com/public/immagini/file/16402473912.pdfIn PDF document text
    • https://joyfool.art/wp-content/plugins/super-forms/uploads/php/files/dfc69bf7b8a094c963f499af154782fd/dulivoxitemosud.pdfIn PDF document text
    • https://maydongy.com/wp-content/plugins/super-forms/uploads/php/files/8a0snhbifk0k52a3tju1getqe9/fepivegepegezarufibef.pdfIn PDF document text
    • https://cls-toronto.com/wp-content/plugins/super-forms/uploads/php/files/c360f6b4aea2fde119523a7bacc220a4/39098131419.pdfIn PDF document text
    • http://rentaruedas.com/files/others/xegufo.pdfIn PDF document text
    • https://www.superioreagle.com/wp-content/plugins/formcraft/file-upload/server/content/files/16082fc385cb25---57589412016.pdfIn PDF document text
    • https://mindweave.co.uk/wp-content/plugins/super-forms/uploads/php/files/gepcfjopstq8n1ehla0fml232g/85462188592.pdfIn PDF document text
    • https://alcc.vn/wp-content/plugins/super-forms/uploads/php/files/o49o0o4kmdotuotn9b14urv1fp/63440023392.pdfIn PDF document text
    • http://www.lbf-cosmetics.com/website/wp-content/plugins/formcraft/file-upload/server/content/files/160784726cf545---81036410295.pdfIn PDF document text
    • https://dietacud.eu/upload/file/19719325859.pdfIn PDF document text
    • http://70sromans.com/clients/871711/File/17955333580.pdfIn PDF document text
    • http://plusbateria.com/wp-content/plugins/formcraft/file-upload/server/content/files/16105f2754935a---41405976159.pdfIn PDF document text
    • http://clinivetmadonnadirosa.eu/userfiles/files/wisoxobuzinovitabejupodek.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef37.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEF37 11236 bytes
SHA-256: ebba817da6736f62251a5a23583756b9370d3c14c9404a8dfb1a44b444a2f7dc
font_01_sfnt_off00010935.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10935 16916 bytes
SHA-256: f7467b7552841ffeba6462a3f9afa35e8193aa02cb9b7b4ebd4530f3298f8eb8
font_02_sfnt_off0001352b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1352B 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1