Malicious PDF — malware analysis report

Static analysis result for SHA-256 84d2cc571c7a59a2…

MALICIOUS

PDF

96.0 KB Created: 2021-09-02 13:46:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 5bb0f766d229df80db6b76073ae2a0ee SHA-1: 0949a6be5021bb3c7d613e3ff25d06b63c73ac09 SHA-256: 84d2cc571c7a59a2826766dc0c735204e738ed328530279ac41dc491c07be8f4
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a large number of external links, many hosted on compromised websites or disposable domains, indicating a link farm designed to redirect users. The ML classifier strongly flagged this PDF as malicious, and the presence of numerous external URIs suggests a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 5

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://chcial.ru/uplcv?utm_term=flower+duet+from+lakme+pdf
    • http://brandweeramsterdamamstellanden.nl/userfiles/file/86998727150.pdf
    • http://yachtandgulet.com/userfiles/file/11199277775.pdf
    • http://doubles301.jp/files/ckeditor/files/tixidutetuvojifove.pdf
    • http://worthingtonpark101.com/userimages/85762540569.pdf
    • https://muratay.nl/userfiles/file/33831245204.pdf
    • http://mopi.eu/ckfinder/userfiles/files/xoretemawufetazoba.pdf
    • https://hanurichurch.org/ckfinder/userfiles/files/87889893245.pdf
    • http://eia-edu.com/userfiles/file/13396242651.pdf
    • http://holidayinntorino.com/userfiles/files/wesaniw.pdf
    • https://tucsonhomewindowtint.com/wp-content/plugins/super-forms/uploads/php/files/23ab7d2e3b3aee224c3a97a93e986246/zotekikok.pdf
    • http://wujipacking.tw/upload/files/wujejosu.pdf
    • http://cnokorea.com/userfiles/file/difetekikajeb.pdf
    • http://leinerpakgelatine.com/survey/userfiles/files/zetodiregi.pdf
    • http://change4best.ru/upload/file/vevugibuloleremiwil.pdf
    • http://www.adanakursmerkezi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c043e6040e7---40153556780.pdf
    • http://www.goldenlantern.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/161301c82a63cc---68721877846.pdf
    • http://www.predoisiasociatii.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160ab1e66ddb8a---kuviwi.pdf
    • https://cuacuonbentre.com/upload/files/todidam.pdf
    • http://thoitrangvabaoho.com/Images_upload/files/nenotadaburozigusino.pdf
    • https://www.peeryhotel.com/wp-content/plugins/super-forms/uploads/php/files/3ddcde5d36f8e60054b8427853550420/66542059506.pdf
    • https://cspdental.com/wp-content/plugins/super-forms/uploads/php/files/2cfcf0cd812c0aa6c823f17ebb233881/nivutit.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010a67.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A67 16792 bytes
font_01_sfnt_off0001227e.bin
4ef802544e88bf01bc67b10122344d15d36eac9fef7cdd59536fe73d8eac68b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1227E 10552 bytes
font_02_sfnt_off00013aa9.bin
d3d4e8dcff6105e57e5f707b81c4090c136bbfe5ae006640f1992b9ecc5d2f7c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13AA9 21628 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.