Malicious PDF — malware analysis report

Static analysis result for SHA-256 874bb8cff054c9f7…

MALICIOUS

PDF

81.5 KB Created: 2021-07-01 16:28:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 127c597c475144bf697ab3524c922763 SHA-1: a35902d92ae5698486843c451d34089287bcfe4a SHA-256: 874bb8cff054c9f7746fb7b3f56573e71df69ff0955fe6482f0840beb5d3ef31
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a link farm pointing to numerous compromised WordPress sites, indicating a likely attempt to redirect users to malicious content or phishing pages. The ML classifier strongly flagged this PDF as malicious, supporting the assessment of a malicious link distribution pattern. No scripts were extracted, limiting the analysis to the document's structure and embedded URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9972

Heuristics 5

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://theydeserveastamp.org/wp-content/plugins/formcraft/file-upload/server/content/files/1608226cfe19ea---27553527742.pdf
    • http://pttaccounting.com/userfiles/files/xanida.pdf
    • https://vasantviharproperties.com/userfiles/file/pilokogoxebi.pdf
    • https://businesslife.com/content/file/wowigisebuduvali.pdf
    • https://arenda1s.ru/wp-content/plugins/super-forms/uploads/php/files/24c7c4fc8d0ed53a69c2fbd34a8c3498/negufova.pdf
    • https://searchlink.org/userfiles//file/gojesurupekefiv.pdf
    • http://www.primalegal.eu/wp-content/plugins/super-forms/uploads/php/files/f1kngfm68uav7qrlegemqmiir1/87271287332.pdf
    • https://bizdrive.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1/1608c986dbfa31---rosimonugepubod.pdf
    • http://albatrossmrn.com/konadnew/userfiles/file/48769560853.pdf
    • http://syuncyoku.jp/upload/file/62137273154.pdf
    • http://www.kreasoft.mx/wp-content/plugins/formcraft/file-upload/server/content/files/1607151dc28ed6---lelufivufuzutakukaw.pdf
    • http://www.anclupnapoli.it/userfiles/file/93493853082.pdf
    • https://wpsqld.com.au/wp-content/plugins/super-forms/uploads/php/files/35127329fb7f661bad224c066263bbc9/jukoxa.pdf
    • https://mrmusicfoundation.org/wp-content/plugins/super-forms/uploads/php/files/4eg90hji3ue9mq5loilun58eun/rejimeki.pdf
    • http://stellamaris.cz/userfiles/36805972933.pdf
    • http://www.etoiles-recrutement.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b8d5d4c6a54---xajidepodetitef.pdf
    • http://bazatalty.pl/wp-content/plugins/super-forms/uploads/php/files/d1fdcae9729849f355d56b7719813c0c/tenevugapa.pdf
    • http://paymentsbusiness.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16081513a62d38---58209749702.pdf
    • https://holocaustresearch.pl/nowy/photo/file/66418991304.pdf
    • https://www.diktu.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ba87b72bed4---75267790627.pdf
    • https://www.sacproblemleri.com/wp-content/plugins/formcraft/file-upload/server/content/files/160885da81f316---fuxixekulonugina.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/ngfLrbzwjls/uplcv?utm_term=god+gave+rock+n+roll+to+me
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d7f4.bin
a555d7bca3eea764d1d8f0daaed59a4908ac37eb80070c79d28ea2afc757305c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD7F4 18408 bytes
font_01_sfnt_off0001070f.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1070F 16792 bytes
font_02_sfnt_off00011f26.bin
a1e3a78b7052dacf40db32dd3a3e94ba2fd3a2996ec4df800c16c8e46e445d10		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11F26 10652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.