PDF malware analysis — malicious · 726bfd89e0f67a0c

MALICIOUS

PDF

81.3 KB Created: 2021-09-06 20:50:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: eef9d7aacb9b3b54d10041fefbd3d2f8 SHA-1: d04d78bec34500529b6992b6a9e4c99c545d5f47 SHA-256: 726bfd89e0f67a0c07099f4ef1f7bd810c714302ebfbd208c9dab6f1a98f8f9d

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded URLs pointing to compromised WordPress sites and other domains, indicating it functions as a link farm. The ML classifier strongly flagged this PDF as malicious, and heuristics identified it as a link farm on disposable hosting, likely intended to manipulate search engine results or distribute further malicious content. The presence of multiple links to compromised CMS upload directories suggests a pattern of using these sites to host and distribute malicious files.

Machine Learning

Nyx PDF Classifier malicious score 0.9977

Heuristics 5

PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.nbrownies.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160bb061fa909e---98477748557.pdf
- http://cupta.org/userfiles/files/20210530110358.pdf
- http://branonperformance.com/ckfinder/userfiles/files/246747294.pdf
- https://www.northernillumination.com/wp-content/plugins/super-forms/uploads/php/files/820dd26dcc35a0315add41e8eb314b28/74974370282.pdf
- http://rmgoals.com/userfiles/files/sirorenofopupifalikota.pdf
- http://bukvoznaika.ru/ckfinder/userfiles/files/49007279467.pdf
- http://alltechsro.cz/files/subavizisokepobuloteja.pdf
- https://isleo.com/i_photos/file/segajosudixujubewudemepo.pdf
- https://mission4recruitment.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b29bdcca0c---polerurinipedajuvega.pdf
- https://seikico.net/img-tym/files/29828481909.pdf
- http://saigondome.com/uploads/userfiles/file/dasinakuroluvupoduvone.pdf
- https://www.kiteschule-kiel.de/wp-content/plugins/formcraft/file-upload/server/content/files/161214e1606b68---95418852967.pdf
- http://ophtalmic-overnight.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160796e203c08e---91224273078.pdf
- http://lotusromeo.fr/app/webroot/files/userfiles/files/65608616205.pdf
- http://brothersaluminium.com.np/wp-content/plugins/formcraft/file-upload/server/content/files/160805cba4cc45---duwosejupav.pdf
- http://ascensionchina.com/userfiles/file/86547297865.pdf
- https://balaji-technology.com/userfiles/file/61618116239.pdf
- https://glosunspa.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609533e15e8cd---tixivajidenutino.pdf
- https://www.marbelitesa.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160837a494fd27---ropafefa.pdf
- http://shinies.ru/img/lib/file/livekipofetigiweparepumut.pdf
- http://sghr.ca/upload/ckfinder/files/12136585120.pdf
- http://www.iso-clean.fr/wp-content/plugins/formcraft/file-upload/server/content/files/16098abd34038b---gobikez.pdf
- http://anaminfo.com/attachfile/file/kotafowev.pdf
- https://feedproxy.google.com/~r/Uplcv/~3/S30rS-6n6vg/uplcv?utm_term=craftsman+electric+mulching+lawn+mower+manual
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d8e6.bin` `7c17c780834c8ced9f83eef0c1e466705d58c6f8797089ba947303420695db98`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD8E6	17184 bytes
`font_01_sfnt_off00010598.bin` `17aa822e245bddfde5098e67fea8ce0471910c51c1fe7dbe11f26b9f9564593d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10598	11000 bytes
`font_02_sfnt_off00011f0f.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11F0F	16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.