Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f8a958614702d5a…

MALICIOUS

PDF

68.3 KB Created: 2021-09-18 09:08:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-22
MD5: f017ece6d353d362e18a8b463cea8fe4 SHA-1: 0d740f5e5e998cd7282c27b0705b278a17a8c20f SHA-256: 7f8a958614702d5a2947b75a06d3607631bc2daa434d96d14deab955ef90b9b2
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded URLs pointing to a mix of compromised WordPress sites and disposable domains, indicating a link farm designed to distribute malicious content or phish users. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' and 'PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM' strongly suggest this malicious intent. No scripts were extracted, but the structure and URL distribution are indicative of a phishing or malware delivery campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5231

Heuristics 4

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cructi.ru/uplcv?utm_term=92+prime+or+composite PDF link annotation
    • http://7seapharmtech.com/Uploadfiles/files/dakatibuw.pdfIn PDF document text
    • https://floraplant.gr/FCKeditor/userimages/file/6958862644.pdfIn PDF document text
    • https://ottopianos.nl/files/kakomekokiganuduv.pdfIn PDF document text
    • https://regenerativetherapyforpain.com/wp-content/plugins/super-forms/uploads/php/files/5df943cba5804272a90411dd0ad4569c/gonub.pdfIn PDF document text
    • https://99shayari.in/userfiles/files/sorekasive.pdfIn PDF document text
    • http://metalltechnik-kutschi.at/xagoxulixol.pdfIn PDF document text
    • http://www.eurosecurimed.com/ckfinder/userfiles/files/lawelenepuna.pdfIn PDF document text
    • https://delaneyllc.com/ckfinder/userfiles/files/86190465007.pdfIn PDF document text
    • http://bkmarine.net/ckfinder/userfiles/files/1631402398.pdfIn PDF document text
    • http://hmsendo.pl/uploads/editor/file/12840841949.pdfIn PDF document text
    • https://espaciocultivarte.com/ckfinder/userfiles/files/54862872549.pdfIn PDF document text
    • http://stluciachamber.org/uploadedImages/contentImg/file/41624101631.pdfIn PDF document text
    • https://cutletsmeat.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613c3c0001fcf---23696795538.pdfIn PDF document text
    • http://soupworld.de/upload/file/rokaxejuwirirufovuga.pdfIn PDF document text
    • https://arch.ua/ckfinder/userfiles/files/30162266678.pdfIn PDF document text
    • http://rtm-plus.com/ckfinder/userfiles/files/sisimitegok.pdfIn PDF document text
    • https://gk-termopanel.ru/wp-content/plugins/super-forms/uploads/php/files/f8869268c78714a6d92aee749a15fe70/digofipokobaximufifatujak.pdfIn PDF document text
    • https://swimproject.eu/wp-content/plugins/super-forms/uploads/php/files/5199f3a540b9df212508278c61248cd2/44848732706.pdfIn PDF document text
    • http://avandcie-energy.fr/ckfinder/userfiles/files/16897780280.pdfIn PDF document text
    • http://mrs724.ir/basefile/drtiketcom/files/rogeretate.pdfIn PDF document text
    • https://kop-trans.pl/uploads/userfiles/files/piboxitasusexixobawa.pdfIn PDF document text
    • https://llbyggodesign.se/UserFiles/files/rorikumikesuzisi.pdfIn PDF document text
    • http://teaterskolen-efteruddannelsen.dk/ckfinder/userfiles/files/ligusotufisa.pdfIn PDF document text
    • http://otohondamientay.com/upload/files/8164183475.pdfIn PDF document text
    • https://thewentworthco.com/wp-content/plugins/super-forms/uploads/php/files/65e6abbqe6tmluvh2rqkjg73j6/fuzatusasarugibezoxat.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bfb9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBFB9 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000d7d0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD7D0 10412 bytes
SHA-256: ff90a8a601d35e0a61a9998cb957a99ac7957e847f1c8c0d3fa2696089795d4a