Malicious PDF — malware analysis report

Static analysis result for SHA-256 a522f6cbf22fdf51…

MALICIOUS

PDF

88.0 KB Created: 2021-07-17 01:21:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-29
MD5: 68df03bd6a4c831f800111c53a346cb1 SHA-1: 9ad73418822d18e9ba23462162adb3106cfecf82 SHA-256: a522f6cbf22fdf512e3d8a750cfc65300413356dd1acc4b7b20974578a26477c
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links to compromised WordPress sites, suggesting it is part of a link farm designed to host malicious files. The 'SE_CLICKFIX' heuristic indicates the document likely contains instructions to trick the user into executing a command, potentially to download and run a second-stage payload. No scripts were extracted, but the overall structure and heuristics point to a social engineering attack aimed at user interaction for payload execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9970

Heuristics 6

  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://eduomania.com/wp-content/plugins/formcraft/file-upload/server/content/files/16092add608df2---8511876824.pdf In PDF document text
    • https://roadtoring.com/wp-content/plugins/super-forms/uploads/php/files/2e30fb573095ad5abfa98c2eef092a7e/37196110961.pdfIn PDF document text
    • http://iamsoldierfit.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608e5d956e15b---56654580615.pdfIn PDF document text
    • https://gtsonline.nl/wp-content/plugins/super-forms/uploads/php/files/t4g8eavtpqe78nvbf4rhn52d9d/63135610363.pdfIn PDF document text
    • https://workinhotel.com/upload/fckfile/fibasajapijoxamutifowe.pdfIn PDF document text
    • http://gesundezellen.de/neu/userfiles/file/42629768322.pdfIn PDF document text
    • http://alohatoypoodles.com/clients/1/11/1122824db0f83c9e74cf39311881f217/File/29260663330.pdfIn PDF document text
    • https://adasms.fr/userfiles/file/wifiwekutuwadodosokarevu.pdfIn PDF document text
    • https://visaonline-vn.com/wp-content/plugins/super-forms/uploads/php/files/4cuo5ecqdvtmm2jlk3l1lk84di/tuvifikikarikirarufat.pdfIn PDF document text
    • https://celovechurch.org/wp-content/plugins/super-forms/uploads/php/files/0cba9f4fbc5d6d1e6d08efaa8cd02e41/logezil.pdfIn PDF document text
    • http://mabifitness.it/userfiles/files/xusivomaxolodufa.pdfIn PDF document text
    • http://www.grundys.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16086106c483b7---doxupeveniker.pdfIn PDF document text
    • https://autoschiller.de/wp-content/plugins/formcraft/file-upload/server/content/files/1609188c169749---jewuxevugexoguxenivivetad.pdfIn PDF document text
    • https://www.dekleinewerf.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160773376a83fc---69846346623.pdfIn PDF document text
    • http://614move.com/clients/4890/File/21903747852.pdfIn PDF document text
    • https://www.financedeclined.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160d46dbd0a3ac---97887566313.pdfIn PDF document text
    • http://modelkyujin.com/wp-content/plugins/formcraft/file-upload/server/content/files/160e8f24fc75f4---sonisovepinuxawekidimow.pdfIn PDF document text
    • http://www.siscard.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c3648dc97dd---89456918499.pdfIn PDF document text
    • https://www.alignerco.ca/wp-content/plugins/super-forms/uploads/php/files/c9485940543c8d86f872ad0808957252/34249126648.pdfIn PDF document text
    • http://ganan10.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/160773843935b9---mizakinimobedigofesubolix.pdfIn PDF document text
    • https://eyetracking.pl/userfiles/file/23720445081.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/PmAiG5ZyT-k/uplcv?utm_term=close+programs+running+in+backgroundPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f52f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF52F 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off00010d46.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10D46 11120 bytes
SHA-256: 6521646e490646b0510431c2e3b5fbcf9fd6cd813c9519542916faba5ba5c985
font_02_sfnt_off000126c2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x126C2 16924 bytes
SHA-256: cb00ada9459ee8203aff93d521f15e53a5796cddbcc824ef3585eff0dab07638