Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf0fb41055e56f27…

MALICIOUS

PDF

87.6 KB Created: 2021-06-28 23:47:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-31
MD5: 72ef558b447e325be2a0871621f1b92e SHA-1: 2f751c4ad29f6c165addddabc07dc66b87981752 SHA-256: bf0fb41055e56f27b621793899a9b85b6dabec836780c67b54d649be39cae628
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous links pointing to compromised WordPress sites, specifically targeting upload directories. These links likely serve as a distribution point for further malicious content. The ML classifier strongly indicates maliciousness, and the structure suggests a link farm designed to host or redirect to malicious PDFs, aligning with phishing or spam campaigns.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9970

Heuristics 5

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pointsourcegroup.com/wp-content/plugins/super-forms/uploads/php/files/d91eb0609a5719036efa5170e6baa34c/kesokabesaditir.pdf In PDF document text
    • https://stayatrosetta.com/wp-content/plugins/super-forms/uploads/php/files/gf2fo3b959e1727lgpl70p2fqi/rijilodunomevevison.pdfIn PDF document text
    • http://cetinelektrik.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160bd63c926f3f---furugedo.pdfIn PDF document text
    • https://www.ideakliniksisli.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c54b0aee514---mulavavusovikajovopa.pdfIn PDF document text
    • http://www.esthemed.ch/wp-content/plugins/formcraft/file-upload/server/content/files/160a4820521b50---gopizozekonijatuxoxo.pdfIn PDF document text
    • http://www.brennholz-heinlein.de/wp-content/plugins/formcraft/file-upload/server/content/files/16072c273d54ad---24585280798.pdfIn PDF document text
    • http://podiummoda.ru/userfiles/file/zizesutelukave.pdfIn PDF document text
    • https://www.intermediastudios.com.mx/wp-content/plugins/super-forms/uploads/php/files/decbff4fc5cd89e7cccc55e74f743839/kodakixerasumowo.pdfIn PDF document text
    • https://apinero.com/wp-content/plugins/formcraft/file-upload/server/content/files/16075f7368357b---53567424314.pdfIn PDF document text
    • http://www.empresasdelimpeza.info/wp-content/plugins/formcraft/file-upload/server/content/files/160773cec60b9e---87002772472.pdfIn PDF document text
    • https://www.brunosistemi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ba7fcc7e3cf---4827795079.pdfIn PDF document text
    • http://sity-luxe.ru/userfiles/file/tirive.pdfIn PDF document text
    • http://ewtch.com/upload/files/28420485457.pdfIn PDF document text
    • http://qunjl.com/userfiles/files/52851874558.pdfIn PDF document text
    • http://paymentsbusiness.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1609f288e6d25a---90084601312.pdfIn PDF document text
    • http://utuin.net/files/fckeditor/file/zopotareliwev.pdfIn PDF document text
    • https://www.arc-welding.co.uk/wp-content/plugins/super-forms/uploads/php/files/ihocnd20c82uug5ic1j9lac648/kewujexejexavetezujipak.pdfIn PDF document text
    • http://limpiasol.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609f9153446bb---24543004599.pdfIn PDF document text
    • http://files.ibiza-ferien.de/file/wuteraduka.pdfIn PDF document text
    • http://www.segurosfacility.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16072a2d8e1ce5---rojemejoporuxenemi.pdfIn PDF document text
    • http://billsky.ee/files/file/zusulefofuwu.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1KS0DP0cxss/uplcv?utm_term=wolf+of+wall+street+adult+scenesPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f240.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF240 10556 bytes
SHA-256: de83cf9fc061be866b11b9081e87e09e8585bc923de66104291fecd1b9424612
font_01_sfnt_off00010a8e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10A8E 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off000122a0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x122A0 17716 bytes
SHA-256: ee0bada147f7e9677517a4238b1c9e8b760da59fa36e5b25e181c34e79f7943b