Malicious PDF — malware analysis report

Static analysis result for SHA-256 badd192b4fa8cf30…

MALICIOUS

PDF

106.9 KB Created: 2021-07-13 04:15:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26
MD5: ea18353ed818b052a7c0f1288c9d8c86 SHA-1: f9f3b71311933a0aae010020421029ab9a41f0ba SHA-256: badd192b4fa8cf308723e5a22aa34e8e83d551c66c077141e16260702982b0db
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous embedded URLs, many of which point to compromised WordPress sites or disposable hosting, indicating a link farm designed to redirect users. The ML classifier also flagged this PDF as malicious. While no scripts were extracted, the structure and URL distribution suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7648

Heuristics 4

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mokhalasati.com/userfiles/files/kewupolifipexuvuvoxi.pdf In PDF document text
    • http://ciccioinpentola.com/userfiles/files/71789810937.pdfIn PDF document text
    • https://www.hotwaterfactory.com.au/wp-content/plugins/super-forms/uploads/php/files/789ba524cbeb28cc4267b4c816200c5b/welevezulezu.pdfIn PDF document text
    • https://ms01bet.net/contents//files/gixowemazesifinodigume.pdfIn PDF document text
    • http://autowagon.it/userfiles/files/fazinekojoruvi.pdfIn PDF document text
    • https://oddluzanie.net/userfiles/file/vapafe.pdfIn PDF document text
    • http://sh8ke.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a9fca1841e7---49686859358.pdfIn PDF document text
    • http://brmhn.com/userfiles/file/20210630083026_b74vyg.pdfIn PDF document text
    • http://netinflux.net/userfiles/file/vinerasar.pdfIn PDF document text
    • https://mytalk7.com/_UploadFile/Images/file/32102583355.pdfIn PDF document text
    • http://www.idenet.net/wp-content/plugins/formcraft/file-upload/server/content/files/160839d3f208b3---tarubukosigobuxagorome.pdfIn PDF document text
    • http://heilpraxis-pankow.de/wp-content/plugins/formcraft/file-upload/server/content/files/160c2e6ea0ff87---pomomojevesapudujiguzoxo.pdfIn PDF document text
    • https://heritagelogs.com/wp-content/plugins/super-forms/uploads/php/files/mg5so8lpv4hq8d77aupo3hdiae/35038914051.pdfIn PDF document text
    • https://luxartparquet.com/wp-content/plugins/super-forms/uploads/php/files/f8eb69cb39a88fd88e7d214c5cc2fbee/raxalopa.pdfIn PDF document text
    • https://k9-warrior.com/wp-content/plugins/super-forms/uploads/php/files/0f772qtk0o2c9s7s7jg0ljsjnf/55931645123.pdfIn PDF document text
    • http://techsystem.gr/data/uploads/ckeditor/files/xekab.pdfIn PDF document text
    • https://118highschool.am/wp-content/plugins/super-forms/uploads/php/files/89f2a252459a6b54fa6e2d91b72ec61b/wilepidirofilo.pdfIn PDF document text
    • http://autofulltravel.com/userfiles/files/metati.pdfIn PDF document text
    • http://cameronhaddock.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a93de63e48b---84467950837.pdfIn PDF document text
    • http://lushexperiences.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a7366115211---6926744629.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/1xuhb7AK25c/uplcv?utm_term=panic+by+lauren+oliver+summaryPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00016711.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16711 20064 bytes
SHA-256: f1225e34836a6e07efc97270801aae2858608a7f005d38717fb8496de12c1f8a

Open this report in the interactive analyzer, or submit your own file for analysis.