Malicious PDF — malware analysis report

Static analysis result for SHA-256 871f4ae092bcbf07…

MALICIOUS

PDF

95.4 KB Created: 2021-06-30 07:03:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 3327cbdf490fece6d3390d0eb90929e6 SHA-1: 9a77dc1dc68947e934946f780412b825f78ade4f SHA-256: 871f4ae092bcbf07558e85edc2953d3796120b7adfab5e109b34629e3e668acc
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains a link farm hosted on compromised WordPress sites, directing users to download remote support tools. The heuristic 'SE_REMOTE_SUPPORT_LURE' indicates the document's intent to trick users into installing potentially unwanted software. While no scripts were directly extracted, the PDF structure and embedded URLs suggest a social engineering attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9491

Heuristics 6

  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nomylo.ru/uplcv?utm_term=play+super+mario+64+on+iphone
    • https://loskutova.site/wp-content/plugins/super-forms/uploads/php/files/12366d044a888b073d1b7a787bab9953/pefusameruripoloxikimur.pdf
    • https://kindliving.org/wp-content/plugins/super-forms/uploads/php/files/tmp/joguwixefeb.pdf
    • http://meble-tk.pl/userfiles/file/91953397850.pdf
    • http://artpolyclinic.com/file/files/futewolup.pdf
    • https://arizonalightingsales.com/wp-content/plugins/super-forms/uploads/php/files/2a8d938d65eed5f59926787a26046cb9/vuzurajabuziwijuwupizawu.pdf
    • https://nasroglobal.com/userfiles/file/dizemeja.pdf
    • http://rymwid-training.com/userfiles/file/ripof.pdf
    • https://nadamasristorante.it/file/13799939320.pdf
    • http://andreevmag.com/wp-content/plugins/super-forms/uploads/php/files/3e37cb8e8f3789ac79a11c43c6b0f841/sefupetufo.pdf
    • http://lirealestatelitigator.com/wp-content/plugins/super-forms/uploads/php/files/506808bd8a449605927b303375a81459/6147155571.pdf
    • http://ljhalls.com/wp-content/plugins/super-forms/uploads/php/files/49ae1e26bdb9cb496555346f570b9e45/joresanevifapuvoz.pdf
    • https://www.helpfulhunks.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160ce889b7dd1c---15346953448.pdf
    • https://saraelv.no/wp-content/plugins/formcraft/file-upload/server/content/files/1609deebe3504a---10552417036.pdf
    • http://www.investing-in-women.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c879e08719---6710004353.pdf
    • https://www.ediliziaindustriale.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f01d0b217f---zafamuvatekewezawadipolux.pdf
    • http://www.ks-zahnarztpraxis.de/upload/files/norapepojisekizelasusadaz.pdf
    • http://smithmurdock.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609688ad13d98---kuzefumolabugeguze.pdf
    • https://www.engltg.com/wp-content/plugins/super-forms/uploads/php/files/8b46b0c88142a433cb1e75adfab6ba80/29504302871.pdf
    • https://broadstripe.com/wp-content/plugins/super-forms/uploads/php/files/66e91633085eea3447fe697dd94541aa/dutubode.pdf
    • http://bet-balance.com/userfiles/file/57137291254.pdf
    • http://koopmankennedyfeller.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/wuxedanoluvogopulavokimo.pdf
    • https://www.psalighting.com/wp-content/plugins/super-forms/uploads/php/files/dffbe8c19715f6df3af0ef9a742949d8/gotasobejotetifiv.pdf
    • http://for-rent-aalst.com/wp-content/plugins/formcraft/file-upload/server/content/files/16082e2b1a19d9---87786292557.pdf
    • http://www.agrosystem.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160be1bde6dd9f---suxezededeto.pdf
    • http://xlsferrosilicon.com/d/files/votibadufobudej.pdf
    • https://www.hotel-palladium.gr/wp-content/plugins/super-forms/uploads/php/files/jao6fufs79ki5hcirshiep6pur/fesemipukukajakesumori.pdf
    • http://blog.crowdly.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a55b1b5433d---wuxogaxefo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f09b.bin
96253e6bc71c263d335f518e9980a2f5a079500ed94015467cd8fd50d847b223		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF09B 17280 bytes
font_01_sfnt_off0001085f.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1085F 16792 bytes
font_02_sfnt_off00012076.bin
4a867a3e772f294a43e29f7d90f7dc7bf98b3bafc98b84fa97952904f9ef3d7b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12076 10880 bytes
font_03_sfnt_off0001397b.bin
28c5bcedffb0f63c0f18ed07264126f7c833899b916de9a351f9850be7cb6bae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1397B 1696 bytes
font_04_sfnt_off00014187.bin
d8587baee34656170d22724fcbe930837843b2137d38af47d3ccff7f6911029b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14187 17696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.