Malicious PDF — malware analysis report

Static analysis result for SHA-256 b786c02457ca646d…

MALICIOUS

PDF

70.9 KB Created: 2021-08-30 08:05:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 85cafba02ff57ac40b272cff1ef0abcd SHA-1: cebefbafe4d4b10a9fdf6a11a7f7e36c50a40eb4 SHA-256: b786c02457ca646d3eb70d6221fa2f653ef5dd4b1999f359ec576cbc0da0c044
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and numerous external links, many of which point to compromised WordPress sites. These links likely serve as a link farm to redirect users to malicious or phishing content. The ML classifier strongly indicates maliciousness, supporting the attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9986

Heuristics 6

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bradhelferlaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/88094524846.pdf
    • https://alkhairi.co.uk/wp-content/plugins/super-forms/uploads/php/files/6f4b12f3ff7a206f2a05dba67a2e85fd/jezosotitijixaxonomexuk.pdf
    • https://chinatupai.com/web/js/ckfinder/userfiles/files/kokurasofasa.pdf
    • http://jmlukanich.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/11083331949.pdf
    • https://xn--mgbaf4adbs1bd2i.net/upload/ckfinder/files/dulubobobel.pdf
    • http://pvsystexperts.com/wp-content/plugins/super-forms/uploads/php/files/dvlt0f1fooee8k9qf6jr2h5np1/motemora.pdf
    • http://globalsocialwlefaresummit.com//app/webroot/uploads/ckuploads/files/fitalob.pdf
    • http://ca1970.com/clients/10044/File/ruxodepujux.pdf
    • http://ip-golubev.ru/ckfinder/userfiles/files/98300990742.pdf
    • http://vimbark.sk/editor_uploads/files/50778411401.pdf
    • http://zadonskiy.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160ac52c0dec37---19818254648.pdf
    • https://nhorizontours.com/userfiles/files/3037648392.pdf
    • https://stehovani-ostrava.cz/static_pages_files/file/78538436679.pdf
    • https://yucekalipmakina.com/tsrm1/img/userfiles/file/74836308098.pdf
    • http://pck.malopolska.pl/wp-content/plugins/super-forms/uploads/php/files/f7639100c911134683bdf81a655af760/62672942914.pdf
    • http://pck.malopolska.pl/wp-content/plugins/super-forms/uploads/php/files/60781aa82f42da05373de48c7402980f/26850811268.pdf
    • http://vanlysecurity.vn/vanly/album/files/16876515585.pdf
    • http://dom-nenilovo.ru/wp-content/plugins/super-forms/uploads/php/files/da15bd300282daf25d89312c3ad764b9/zedenamobimug.pdf
    • http://forglass.sk/userfiles/file/91488408652.pdf
    • https://burstallconrad.com/editor_files/file/43964663983.pdf
    • http://nd-58.ru/wp-content/plugins/super-forms/uploads/php/files/1461998a06854f539277670f44f958a6/viwoxemilusiso.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/ngfLrbzwjls/uplcv?utm_term=cause+of+creatinine+increase
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b5a1.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB5A1 16792 bytes
font_01_sfnt_off0000cdb8.bin
a7e3b128ee9be4d55628e5e7e958582c3c0c4827cb8675fab84360d9900fb2d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCDB8 10416 bytes
font_02_sfnt_off0000e57a.bin
eb1bd23c344132ba827cf374f4513ae6ed67eedd863546d34260d99f09aa3abf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE57A 15984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.