Malicious PDF — malware analysis report

Static analysis result for SHA-256 c84482221a1d6f40…

MALICIOUS

PDF

68.0 KB Created: 2021-09-12 19:47:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-02
MD5: 32273b6a73f22273cdb76991629e49fa SHA-1: dc574d039cefaa36b8c4d6823afb22edfb75d434 SHA-256: c84482221a1d6f40b43903b8e4b89aec50af9b4a64e164d5085ac8324e0ef48a
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm with numerous embedded URLs pointing to other PDF documents. Several of these URLs are hosted on domains that appear to be compromised CMS upload directories, suggesting a tactic to distribute malicious files or manipulate search engine results. The presence of multiple distinct hosts and the use of UTM parameters indicate a coordinated effort to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4539

Heuristics 4

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://droneducational.com/admin/userfiles/file/nenusij.pdf In PDF document text
    • https://cordovajewelry.com/images/file/55923273951.pdfIn PDF document text
    • http://gdwtechnology.com/fckeditor/file/33564119389.pdfIn PDF document text
    • https://bursac.net/userfiles/file/vumorakutozukuvosuwapap.pdfIn PDF document text
    • http://www.commandinglife.com/wp-content/plugins/formcraft/file-upload/server/content/files/161372e9e4e113---7565507823.pdfIn PDF document text
    • http://orderleesushi.com/uploads/files/fomopa.pdfIn PDF document text
    • https://www.teppiche-waschen-hamburg.de/wp-content/plugins/formcraft/file-upload/server/content/files/16139e741ecad6---9747748092.pdfIn PDF document text
    • http://mh-gartengestaltung.de/userfiles/file/kevetugavowi.pdfIn PDF document text
    • http://twtipa.com/upfile/files/2021/09/08/30568555848.pdfIn PDF document text
    • http://soluzionebenessere.eu/userfiles/files/tomasuguvumedukigikafeseg.pdfIn PDF document text
    • http://uchid.com/uploads/file/1571767548.pdfIn PDF document text
    • http://kingswaytyres.com/project/kingsway/uploads/file/74220922763.pdfIn PDF document text
    • https://art-gallery.mn/uploads/files/zeduv.pdfIn PDF document text
    • http://195exim.com/datas/files/nodimufobolaso.pdfIn PDF document text
    • https://360clothing.indicsys.com/home/www360cl/public_html/uploads/images/files/garesomexero.pdfIn PDF document text
    • https://wonwon.taipei/photo/file/49102583994.pdfIn PDF document text
    • http://alarm.pl/userfiles/file/jadopapekinokokaduluweki.pdfIn PDF document text
    • http://mispuntossaga.com/campannas/file/pagixuwan.pdfIn PDF document text
    • https://jamiatulbanat.in/wp-content/plugins/formcraft/file-upload/server/content/files/161368cf16833b---55628499785.pdfIn PDF document text
    • http://www.gdchgs.com/admin/img/files/58540249269.pdfIn PDF document text
    • http://slkuang.com/v15/Upload/file/202192648485413.pdfIn PDF document text
    • http://softtox.pl/new/userfiles/file/divifosetewena.pdfIn PDF document text
    • https://tallerescarrion.com/uploads/file/webojanavat.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/cv9VXjIrmdE/uplcv?utm_term=3d+sniper+hackPDF link annotation
    • https://lapdonline.org/file/16280218533.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d284.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD284 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000ea9b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEA9B 10516 bytes
SHA-256: 251577b7a7958bf07e53d931c79c7b97f4c277698ed7a77e828b88bd384650dd