Malicious PDF — malware analysis report

Static analysis result for SHA-256 7e0bdae573f8e3dd…

MALICIOUS

PDF

111.2 KB Created: 2021-07-07 19:54:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-14
MD5: 8f0a839dfec0f45186ab3fee87f6a15f SHA-1: 5567418b6d1da53d79b2d3b6a6a509afa6d8641a SHA-256: 7e0bdae573f8e3ddcb05e5e855caf633a9a2c3a5e322768f6bcfc8978b9b38fc
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous external links, many pointing to WordPress upload directories on distinct hosts, indicating a link farm designed to redirect users. The ML classifier also flagged this PDF as malicious with high confidence. The presence of these links suggests an attempt to lure users to potentially malicious sites, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9666

Heuristics 5

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://irlanc.ru/uplcv?utm_term=verbs+followed+by+infinitive+without+to PDF link annotation
    • http://www.siscard.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a53efe3eb04---kegosufepiguneme.pdfIn PDF document text
    • https://advicezone.org.uk/wp-content/plugins/super-forms/uploads/php/files/6ee2kdcr139qksq7fpqokc0os4/delokuwojiguvijokodukeva.pdfIn PDF document text
    • http://hagelkonzept.de/userfiles/file/26618229077.pdfIn PDF document text
    • http://www.nationaalgolfcongres.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1606d9b8fe0237---73372206885.pdfIn PDF document text
    • https://directprocessors.com/wp-content/plugins/formcraft/file-upload/server/content/files/16096537dd4b89---85288138296.pdfIn PDF document text
    • https://badrivishal.com/media/35049729241.pdfIn PDF document text
    • https://spencershaulageltd.co.uk/wp-content/plugins/super-forms/uploads/php/files/06c71f2a6520bf00f3326116dd022d9f/4616485656.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b29a43dcfbd---27133333581.pdfIn PDF document text
    • http://adance0112.com/upfile/editor/file/fupugojuxorolutirefe.pdfIn PDF document text
    • https://www.dyna-tech.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1607d9839e8cd5---bipoluxodosumonomapizimat.pdfIn PDF document text
    • https://zazilha.com.mx/wp-content/plugins/super-forms/uploads/php/files/1df9455aa981a17fee6572573eab200e/gajote.pdfIn PDF document text
    • http://gsoam.ge/wp-content/plugins/formcraft/file-upload/server/content/files/160a7dcc9ba74c---junure.pdfIn PDF document text
    • http://localhomesales.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160893d360a335---28621774816.pdfIn PDF document text
    • http://itaindustrial.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160750bec93403---joxoduzafi.pdfIn PDF document text
    • http://mcutech.net/upload/2021/06/file/16248170561946355219.pdfIn PDF document text
    • https://mepho.hu/ckfinder/userfiles/files/volazini.pdfIn PDF document text
    • https://www.sabiamente.es/wp-content/plugins/formcraft/file-upload/server/content/files/1607bf9c4260c4---8066472686.pdfIn PDF document text
    • https://soba05.org/wp-content/plugins/super-forms/uploads/php/files/9c840fb20b5002a6b6a519d2206b8b78/38698729139.pdfIn PDF document text
    • http://noithatnhapkhaugiasi.com/luutru/files/sesekejulenibafelonipigof.pdfIn PDF document text
    • https://smilepath.com.au/wp-content/plugins/super-forms/uploads/php/files/67dd4fc8af92bb0d3c019b0788c29bbc/71733852317.pdfIn PDF document text
    • https://www.davidwoodpersonnel.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f8d6442d61---26785173515.pdfIn PDF document text
    • http://annandale1963.com/clients/69704/File/84319719350.pdfIn PDF document text
    • http://eduomania.com/wp-content/plugins/formcraft/file-upload/server/content/files/16091a0aa32892---xaxixadifu.pdfIn PDF document text
    • http://onlineticketreview.com/images/file/9879042050.pdfIn PDF document text
    • http://www.191seo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608bc40532ded---14287291960.pdfIn PDF document text
    • https://nisahanpin.com/calisma2/files/uploads/lilululega.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012598.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12598 16444 bytes
SHA-256: f2fa3593d47f4f9e90450355abfc2d2346637af93175edf7d85ba91d70c21a1b
font_01_sfnt_off00013c65.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13C65 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off0001547c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1547C 10764 bytes
SHA-256: 4c274d2b57ce6dc48ae997e5b7ae81cba76efe5913cf8c5d45eb40cebe11a3b2
font_03_sfnt_off00016d3a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16D3A 26228 bytes
SHA-256: 1936445557488b3c5657589ccc2948c7206faee413157aa37c50d97eb9032809

Open this report in the interactive analyzer, or submit your own file for analysis.