Malicious PDF — malware analysis report

Static analysis result for SHA-256 91796fc986b84bc2…

MALICIOUS

PDF

66.5 KB Created: 2021-08-01 02:59:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: 642be55affcf591f9ff12509d6f49597 SHA-1: 30a7b3894ca83d2fa266f45e7402ba78e01b2daf SHA-256: 91796fc986b84bc2275e0e083b6ea44aa9d03a0507f80b8b4976611e8b1208be
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains numerous links pointing to compromised WordPress sites, suggesting a link farm or SEO poisoning attack. The ML classifier also flagged this PDF as malicious. While no scripts were directly extracted, the structure and embedded URLs indicate a malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6093

Heuristics 4

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://krisoc.ru/uplcv?utm_term=inspirational+scripture+quotes+with+pictures PDF link annotation
    • http://www.maoles.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a91eb7e748b---nowudinozekofulaxusedapu.pdfIn PDF document text
    • http://stalmost.pl/userfiles/file/gomijizufopoto.pdfIn PDF document text
    • http://www.finanzanlagen-honorarberatung.de/wp-content/plugins/formcraft/file-upload/server/content/files/16076e9c1bad10---nofodanetuponebor.pdfIn PDF document text
    • https://masterok-kovka.ru/wp-content/plugins/super-forms/uploads/php/files/0b55f1dbc7072fd10b5132e04470eeb2/besazikitunosizenugar.pdfIn PDF document text
    • http://nelly-design.ru/upload/files/rotunuxu.pdfIn PDF document text
    • http://blackshirts1960.com/clients/876325/File/pekudakulusa.pdfIn PDF document text
    • http://slsnn.ru/content/file/5585056171.pdfIn PDF document text
    • https://palcev.ru/userfiles/file/vamedanakoduwudipumew.pdfIn PDF document text
    • https://www.actionconstructionjax.com/wp-content/plugins/super-forms/uploads/php/files/747455528c59864053b7bdfc6b5fdd9e/satanalazunuk.pdfIn PDF document text
    • http://bergfin.se/wp-content/plugins/formcraft/file-upload/server/content/files/1607ccc015e3fc---damizepurerebesufizig.pdfIn PDF document text
    • http://kidneytracker.com/ckfinder/userfiles/files/20484306269.pdfIn PDF document text
    • http://graphicon.hu/wp-content/plugins/formcraft/file-upload/server/content/files/160abe5839cd35---kirerawod.pdfIn PDF document text
    • https://www.enviedecrire.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a86c88964bd---siwuweguzapibus.pdfIn PDF document text
    • http://hoinhikhoavn.com/img/files/mezifopotiwire.pdfIn PDF document text
    • https://www.rath-catering.de/wp-content/plugins/formcraft/file-upload/server/content/files/160f6c75f181f1---62403597516.pdfIn PDF document text
    • http://studiosantomauro.it/userfiles/files/34229230077.pdfIn PDF document text
    • https://combrooncom.com/contents//files/rozadovolixigiwusegabeboj.pdfIn PDF document text
    • https://www.diktu.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609e87801732f---18603592803.pdfIn PDF document text
    • http://africanhairbraidingsalon.com/userfiles/file/budevokibuvovujedojedi.pdfIn PDF document text
    • http://budaikepkeret.hu/uploads/file/sobij.pdfIn PDF document text
    • http://lirealestatelitigator.com/wp-content/plugins/super-forms/uploads/php/files/071970f346c4c5fff48c86d2bf1d4c0f/73886079497.pdfIn PDF document text
    • https://perfecthospital.org/FCKeditor/file/33788234426.pdfIn PDF document text
    • http://zoltysnieg.pl/pliki_wyswig/files/78684219721.pdfIn PDF document text