Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e13b413d5c608b5…

MALICIOUS

PDF

102.0 KB Created: 2021-06-29 12:22:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-15
MD5: 011eddfff255a0eed821393083ef2106 SHA-1: e135d9e4b1443cde811f1a799d0aa97764bc8aab SHA-256: 8e13b413d5c608b5078c5ca521e05b472bcc500a0bbc9045ae556152c334274c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links to external websites, many of which are hosted on compromised CMS platforms or disposable domains, indicating a link farm designed to redirect users. The ML classifier strongly flagged this PDF as malicious, suggesting it is part of a phishing or malware distribution campaign. No scripts were extracted, but the sheer volume of suspicious URLs points to a malicious intent to lead users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9923

Heuristics 5

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.canadavisaservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b47860c5fd4---konozeluwajasuzosavavuko.pdf In PDF document text
    • https://aterhesseg.com/up_image/file/newepizisogoxa.pdfIn PDF document text
    • http://erfolgsapp.de/wp-content/plugins/formcraft/file-upload/server/content/files/160afa4f8caab4---xasom.pdfIn PDF document text
    • http://okwecare.com/usr/userfiles/files/tuzeri.pdfIn PDF document text
    • https://www.hdcorp.com.br/wp-content/plugins/super-forms/uploads/php/files/9i7g7pt2483koq14a89rrej0eo/belubamekofo.pdfIn PDF document text
    • http://www.movingintofreedom.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b5639ee1e3b---61746753826.pdfIn PDF document text
    • https://winston-woodward.com/wp-content/plugins/super-forms/uploads/php/files/2c7e330438b93428e43539345fc61e21/88223584731.pdfIn PDF document text
    • https://lcd96.ru/wp-content/plugins/super-forms/uploads/php/files/8a40209cfb720b012088304cddab44ba/ninalurutawepotepuradovuv.pdfIn PDF document text
    • http://schooldistrictservices.com/clients/f/f6/f6ab1571d2cdf5e569af7b76e288b17c/File/miranoxiburomexosuxuki.pdfIn PDF document text
    • http://lifestyleufa.ru/wp-content/plugins/super-forms/uploads/php/files/3e3ae2dd43acf8d28e0ba0caf413cb0b/futisewub.pdfIn PDF document text
    • http://dom-nenilovo.ru/wp-content/plugins/super-forms/uploads/php/files/619ba1da44e753524a6b7b7432100957/44038070904.pdfIn PDF document text
    • https://www.brightfieldbusinesshub.co.uk/wp-content/plugins/super-forms/uploads/php/files/kobd8f6srr4vnq0g40ikjghjlr/90626863206.pdfIn PDF document text
    • http://www.korayozelguvenlik.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f71a4b2c97---fiteluwife.pdfIn PDF document text
    • https://wecafephuket.com/wp-content/plugins/super-forms/uploads/php/files/61ik5perdj5h0tp5eo2kmjaclq/lugozowugavomitofi.pdfIn PDF document text
    • http://rocincorporated.com/domain.com/images/dynamic_pages/file/voxilepaperisojipedajet.pdfIn PDF document text
    • http://diegogenna.it/userfiles/files/divenasaxozipawumejenekum.pdfIn PDF document text
    • http://www.auditsi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160cfdc77803f6---75917182080.pdfIn PDF document text
    • https://endoaccessories.com/wp-content/plugins/super-forms/uploads/php/files/pg30quanklkrq38l1t864v3gjo/85684421628.pdfIn PDF document text
    • http://protech.com.ng/wp-content/plugins/formcraft/file-upload/server/content/files/16085db8b2cdda---20112987064.pdfIn PDF document text
    • https://www.emmabowman.com/wp-content/plugins/super-forms/uploads/php/files/8324fc50fd7ca134d9c2bd50160b820f/tabavepobivozoxoju.pdfIn PDF document text
    • http://thegroverestaurantnj.com/userfiles/files/29643451678.pdfIn PDF document text
    • http://cedresarquitectura.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606ea11919555---99854086526.pdfIn PDF document text
    • https://divinesacredshakti.com/wp-content/plugins/super-forms/uploads/php/files/1865bf1c69c106857da8df6ef5074ca4/tefasozukobepivutup.pdfIn PDF document text
    • http://mko-yug.ru/wp-content/plugins/super-forms/uploads/php/files/f90ac18d3ada1a368256c4ab866daa22/disosevuroxigusanenudu.pdfIn PDF document text
    • https://nuregio.de/wp-content/plugins/formcraft/file-upload/server/content/files/160c86ec00e9de---61080373097.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/A3Ryygt5BCM/uplcv?utm_term=things+to+do+template+pdfPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012dbb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12DBB 16640 bytes
SHA-256: 7fea958903984ac0837a96826199220e5aa961526fe7d26aa502ce2bce2394e9
font_01_sfnt_off000158f3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x158F3 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off0001710a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1710A 10808 bytes
SHA-256: 6a43a7a8d9cd964db99d3967bf0831958de38211b6c17b44a906489511f281d8