Malicious PDF — malware analysis report

Static analysis result for SHA-256 b41d6ad6dea3ffdf…

MALICIOUS

PDF

60.9 KB Created: 2021-08-26 01:53:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: 899fac15af66915adebdc65a7f0a4564 SHA-1: 5ac680e4cf6be8ff30f5654d8d1ce239203a7b4e SHA-256: b41d6ad6dea3ffdf4e57ff14dd480e597946862fe37a2860693c8661e0d86e9e
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded URLs, many of which are hosted on compromised WordPress sites using the Formcraft plugin. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates a link farm on disposable hosting, suggesting an attempt to manipulate search engine results or redirect users to potentially malicious sites. The presence of 'utm_term' parameters in some URLs further supports the SEO manipulation or tracking aspect.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4517

Heuristics 4

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cructi.ru/uplcv?utm_term=geographical+indication+pdf PDF link annotation
    • http://www.maarsehoveniers.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1608d161c9176c---wazadatazomizaguve.pdfIn PDF document text
    • http://aodaibooking.com/FileData/ckfinder/files/20210615_46CE075BCBB25F6B.pdfIn PDF document text
    • http://walthamclassof1985.com/clients/5/52/52060312c10aa816a718e90a19a6a7a1/File/96029065099.pdfIn PDF document text
    • https://oknoplus-omsk.ru/wp-content/plugins/super-forms/uploads/php/files/8275a5fd75c5965cd83d96c5844bb410/46869321824.pdfIn PDF document text
    • https://a2designbg.com/userfiles/file/togitajikilaxaruravenaj.pdfIn PDF document text
    • http://parkwestresidences.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609d3feb3122b---90335269390.pdfIn PDF document text
    • https://www.diktu.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c8e840f2655---11251147429.pdfIn PDF document text
    • https://mehreganimaging.ir/images/upload/files/rikebuwijixovafi.pdfIn PDF document text
    • https://sakitonus.ru/wp-content/plugins/super-forms/uploads/php/files/ac0b7d8dc9a066327a2b7b88d0b4aad5/98757115537.pdfIn PDF document text
    • http://ottotech.center/userfiles/file/33971912964.pdfIn PDF document text
    • http://rockhousemethod.com/ckfinder/userfiles/files/17269749527.pdfIn PDF document text
    • https://empylean.com/wp-content/plugins/super-forms/uploads/php/files/nbetdsurl3gc5a9iu86quok5c2/1051874243.pdfIn PDF document text
    • http://2990592.ru/ckfinder/userfiles/files/bowezapadaxulujazure.pdfIn PDF document text
    • https://comodee.com/wp-content/plugins/formcraft/file-upload/server/content/files/160937b242f2c5---64935383687.pdfIn PDF document text
    • https://mokshadhamnepal.org/userfiles/files/bozojudipusezi.pdfIn PDF document text
    • http://nwatchonline.org/userfiles/file/gipibojadamurogesek.pdfIn PDF document text
    • http://tivati.com/uploads/userfiles/file/85071917709.pdfIn PDF document text
    • https://protectname.xyz/whoisprivacy/userfiles/files/sovagoliriwodiramufozaze.pdfIn PDF document text
    • https://renetravel.ro/images/files/tidaxomijurubelefinemog.pdfIn PDF document text
    • http://svazekobciorlice.cz/userfiles/file/78830247881.pdfIn PDF document text
    • http://am-assets.com/aom/magnolia/userfiles/file/medezux.pdfIn PDF document text
    • http://www.onegelha.com/wp-content/plugins/super-forms/uploads/php/files/da40684c2544941b54224179af452d84/75564389403.pdfIn PDF document text
    • https://sk-developers.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a353a929f9c---69161735619.pdfIn PDF document text
    • https://tecsal.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1606cd0ba980ab---94210820073.pdfIn PDF document text
    • http://toyotarenta.net/FileData/ckfinder/files/20210722_9882510D5F2F2BE2.pdfIn PDF document text
    • https://dmvassociates.com/wp-content/plugins/super-forms/uploads/php/files/ec7641b5990da4a642d2db66c2bd7a38/85644972815.pdfIn PDF document text
    • http://aal.tw/uploads/htmlupload/files/tezipadubotenexa.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e0b5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE0B5 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1