Malicious PDF — malware analysis report

Static analysis result for SHA-256 7df769d0983273a4…

MALICIOUS

PDF

63.6 KB Created: 2021-07-21 00:05:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 66006c9544a05d003ffdb9652d336cc7 SHA-1: 1438a99256e020381adf8dc41715cb595192b146 SHA-256: 7df769d0983273a4e95accf373cf4a8e49a8d90231638ad511d1d0bd14a8f03a
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample contains embedded JavaScript, indicating an attempt to execute code within the PDF viewer. It also features a link farm pointing to compromised WordPress upload directories and disposable hosting, suggesting a lure for users to click through to potentially malicious sites. The primary intent appears to be directing users to external resources through a deceptive link farm structure.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4986

Heuristics 5

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://my-natural-style.net/upload/files/gakidulujodibafezukiwum.pdf
    • https://swimproject.eu/wp-content/plugins/super-forms/uploads/php/files/a102f2e1147e4d7decf9e08778782603/72536976930.pdf
    • https://shotclock.ca/wp-content/plugins/super-forms/uploads/php/files/59f0bbb309282cb15c8ee0961d83b8e6/senofezusajiwulaboxufu.pdf
    • https://www.wflorlando.com/wp-content/plugins/super-forms/uploads/php/files/a11af661cd90255d11b6c4d995c9405d/tadexatokinijemazomew.pdf
    • http://studioingegneriavaragnolo.com/userfiles/files/21068033107.pdf
    • http://livestreaming.group/wp-content/plugins/super-forms/uploads/php/files/q027vh7o0fv5f5vlgd983f0s3kqhl5pq/gadatafamafalexivadet.pdf
    • http://wannawwannie.pl/userfiles/file/ratefujalubofevunajudo.pdf
    • https://www.elementstraining.co.uk/wp-content/plugins/super-forms/uploads/php/files/159vr4ne0enq21afbemsvij9pk/buritibamadaxaf.pdf
    • http://lbhodgereunion.com/clients/3/38/38e1f81cb1ac74d12d86c8ba87866b9f/File/gajobumuzafev.pdf
    • http://lnianemarzenie.pl/userfiles/file/98993463136.pdf
    • http://www.guaitoli.eng.br/wp-content/plugins/formcraft/file-upload/server/content/files/160b9467add7fd---48021266983.pdf
    • http://duquenne-moteurs.fr/webroot/upload/files/tariju.pdf
    • http://www.ishvani.com/www/js/ckfinder/userfiles/files/66987038779.pdf
    • https://xn--fct8ml6mwue.tw/uploads/files/kofegan.pdf
    • http://phaptangpgvn.net/app/webroot/upload/files/dujaf.pdf
    • https://arrayamed.com/userfiles/file/6156683597.pdf
    • https://gachbinhduong.com/upload/file/pipek.pdf
    • https://www.diktu.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b3f9fa0622---71662299538.pdf
    • https://unibel.pl/pliki/upload/file/riwerevumiralavamaku.pdf
    • http://herodumpsterrental.com/wp-content/plugins/super-forms/uploads/php/files/6f36eb0f660fe3819d4bc75172a41907/70617433433.pdf
    • https://dfa-finanz.de/wp-content/plugins/formcraft/file-upload/server/content/files/16077177a26962---76277005946.pdf
    • https://thehamptonsbloomington.com/wp-content/plugins/formcraft/file-upload/server/content/files/16078332876af8---3541209954.pdf
    • http://allprintusa.com/admin/images/file/4500294447.pdf
    • http://ecohost.ru/pics/images/file/99474155142.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/cv9VXjIrmdE/uplcv?utm_term=how+to+bypass+pdf+security

Open this report in the interactive analyzer, or submit your own file for analysis.