Malicious PDF — malware analysis report

Static analysis result for SHA-256 9cd9287af4e5b99c…

MALICIOUS

PDF

69.4 KB Created: 2021-06-07 01:18:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: 0fad13621cc660cbc77239ef0799a050 SHA-1: 5043cd80668895c6a0bc72e8f98c3b63692f6b20 SHA-256: 9cd9287af4e5b99ccec6d2671bcd65741982ffcbe5ed9e3f3d8268831f5c4202
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous links pointing to compromised WordPress sites, suggesting it is part of a phishing or malware distribution campaign. The presence of external URIs and a high ML score indicate malicious intent. The document body's deceptive title, 'Pode se engravidar menstruada' (Can you get pregnant menstruating), is likely a lure to entice users to click on the embedded links, which in turn may lead to further malicious content or exploits.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8224

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nomylo.ru/uplcv?utm_term=pode+se+engravidar+menstruada PDF link annotation
    • http://www.marcado.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16078723a57fdb---11064873219.pdfIn PDF document text
    • http://provia-events.de/pics/fotos/1/file/41612292392.pdfIn PDF document text
    • https://aliencosmicexpo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160746dc5ae6aa---vagaxemirifabesamamidi.pdfIn PDF document text
    • https://www.olympusnorge.no/wp-content/plugins/super-forms/uploads/php/files/753a6dvtri0egg667omksdummq/75218965670.pdfIn PDF document text
    • https://www.cukoyem.com.tr/wp-content/plugins/super-forms/uploads/php/files/ml6t865mle0a6n3e48oft1eo94/dejabotunowumufuxove.pdfIn PDF document text
    • http://www.rkcomdesignservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/16088406a7174a---34216270344.pdfIn PDF document text
    • http://www.oschouston.com/osc/wp-content/plugins/formcraft/file-upload/server/content/files/1609a373f90aa7---9201340390.pdfIn PDF document text
    • https://bizdrive.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1/16091d0d2a28a2---67387258824.pdfIn PDF document text
    • http://indiebookoftheday.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bd3eacb0baf---dizudukopinaxu.pdfIn PDF document text
    • https://kes-stv.ru/wp-content/plugins/super-forms/uploads/php/files/2bbded43035bdfeef4cef8089e22b277/19810440477.pdfIn PDF document text
    • https://www.helpagesl.org/wp-content/plugins/formcraft/file-upload/server/content/files/1609802c5a35d5---76371603936.pdfIn PDF document text
    • http://admio.ru/wp-content/plugins/formcraft/file-upload/server/content/files/16070c1961e196---75710484458.pdfIn PDF document text
    • http://artecgroupservices.com/imagenes/file/nomubopifoxizew.pdfIn PDF document text
    • http://stroynerud-sm.ru/wp-content/plugins/formcraft/file-upload/server/content/files/16094c54b3b761---petolewimeze.pdfIn PDF document text
    • https://arenda1s.ru/wp-content/plugins/super-forms/uploads/php/files/4182ace07f48d072990db6ad1c7f81c3/xinepilofode.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000deba.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDEBA 5172 bytes
SHA-256: c98ce37b2f22537d84a8f73628288087cbf40099cfb18e7b86d65aa144b695e7
font_01_sfnt_off0000f042.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF042 12908 bytes
SHA-256: 0d750b4a0acb9d8c53362d35ff3449e72d3703ec8eafc7c10161d50f51c6482c