Malicious PDF — malware analysis report

Static analysis result for SHA-256 6ecdfbd6b6ed1542…

MALICIOUS

PDF

88.8 KB Created: 2021-06-29 17:56:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-25
MD5: 9c1efa85c08c33c8190fbaa9baf72a1d SHA-1: 93dd3d9439bcbdf4afa7dfec1705422cdfd869f2 SHA-256: 6ecdfbd6b6ed1542616239817af91a6d11db544ee7bcf37bc7acd8b1042dd8c4
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a link farm pointing to multiple compromised WordPress sites, as indicated by the 'PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM' and 'PDF_SEO_DISPOSABLE_LINK_FARM' heuristics. The ML classifier also flagged the PDF as malicious with high confidence. The embedded URLs suggest an attempt to redirect users to potentially malicious content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 5

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://4998horo.gmmwireless.com/contents/files/mumivegogabaraxewiwuduxa.pdf In PDF document text
    • https://globalazeri.az/wp-content/plugins/super-forms/uploads/php/files/338v81i2v3gpf9t5dadddh4ao2/gunedesazemapab.pdfIn PDF document text
    • http://neodev.space/wp-content/plugins/formcraft/file-upload/server/content/files/160b231d3927ee---73175049443.pdfIn PDF document text
    • http://cesishotel.com/res/wysiwyg/file/56767810152.pdfIn PDF document text
    • https://victorybear-info.com/userfiles/files/16140224333.pdfIn PDF document text
    • https://shreenathtechnologies.com/userfiles/file/56488625065.pdfIn PDF document text
    • http://bochosushi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607ce102778ff---lejakakijapofuvejakulu.pdfIn PDF document text
    • http://traiteur-ribot.fr/userfiles/file/1027226473.pdfIn PDF document text
    • http://engroupe.ca/aym_image/files/wowitepukaviguf.pdfIn PDF document text
    • https://islandsvefir.is/wp-content/plugins/super-forms/uploads/php/files/2n501rum9k1civluitqosgcmb6/zekolixevozogu.pdfIn PDF document text
    • http://topas.lt/userfiles/file/sovajinodewebazarakopokus.pdfIn PDF document text
    • http://doubletroubels.com/wp-content/plugins/formcraft/file-upload/server/content/files/16077e8408a1f5---21328792729.pdfIn PDF document text
    • http://bet-balance.com/userfiles/file/xewetamijijine.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d36aacbfa26---40486134137.pdfIn PDF document text
    • http://cityhighclassof77.com/clients/9/9e/9ea685038b5a197d2022a69b8c6b162a/File/80447784773.pdfIn PDF document text
    • https://www.alignerco.ca/wp-content/plugins/super-forms/uploads/php/files/cecc1d29574d9fe9021c4acf0021c016/61549440190.pdfIn PDF document text
    • http://www.airportlimofortlauderdale.net/wp-content/plugins/formcraft/file-upload/server/content/files/1606f19c92071d---79877970844.pdfIn PDF document text
    • https://eletvital.hu/uploads/files/31033875096.pdfIn PDF document text
    • http://www.advokat.com/app/webroot/img/fck/file/dumadim.pdfIn PDF document text
    • https://www.gs-gleichmann.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607b9ba0c7277---wavezolajakezo.pdfIn PDF document text
    • http://blueyee.com/upload/file/290554529875.pdfIn PDF document text
    • http://litho-and-co.fr/ckeditor/upload/files/benovorowu.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/Om9ozkHLxGw/uplcv?utm_term=your+refund+is+still+being+processed+a+refund+date+will+be+provided+when+availablePDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f3b5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF3B5 11276 bytes
SHA-256: ed651e7cfe76f7e926c34f78b2f6d70bcfd13e4d0c81d5dd682377ce5647ecbe
font_01_sfnt_off00010dc2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10DC2 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off000125d4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x125D4 18180 bytes
SHA-256: 6ee62953a776b057a9d614bf25a2422298d6c6fdbb2a84e76fef9f95df76f6ad