Malicious PDF — malware analysis report

Static analysis result for SHA-256 cbeb5f8ae4aaaf64…

MALICIOUS

PDF

420.4 KB Created: 2021-06-26 03:27:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: f43d62469c1baa35ea0d5b8e236378ca SHA-1: e427fb973c3307d8cdc0f6062924058dd95abd71 SHA-256: cbeb5f8ae4aaaf646826fe98627c31cbb3522f89ce3407a7e74a639374d4dcda
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link farm pointing to multiple compromised WordPress sites, likely intended to host and distribute malicious files. The ML classifier flagged this PDF as malicious, and the presence of numerous external URIs suggests an attempt to redirect the user to a malicious download. No scripts were extracted, limiting the analysis of direct execution vectors.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7806

Heuristics 4

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.adanakursmerkezi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a4456d2db95---wuxubafibobitubavigil.pdf
    • http://jeugdopdewetenschapsagenda.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1607bf3165b8ba---49403571533.pdf
    • https://webmodeli.com/wp-content/plugins/formcraft/file-upload/server/content/files/160afded529dcf---kigepifimuxedifimoruf.pdf
    • http://stopasbestos.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160a3ef3e14726---runum.pdf
    • http://veterina-hrib.cz/user-uploads/files/2018472255.pdf
    • https://www.goldenplanet.dk/wp-content/plugins/formcraft/file-upload/server/content/files/160aaae2570bca---ronelixadar.pdf
    • http://asirius.su/wp-content/plugins/super-forms/uploads/php/files/603a422d2f0a2ffd84b1c2c162662657/renuliroxad.pdf
    • https://rmdschoolandcollege.com/wp-content/plugins/super-forms/uploads/php/files/8tcve9ue925bbj8nqnsucq5u14/75146980705.pdf
    • https://regalcabs.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160d0ce3e0347f---78790112014.pdf
    • http://aarogyamedico.com/userfiles/file/lobuxipowamogesamuvaxavu.pdf
    • https://bestmiamiturf.com/wp-content/plugins/super-forms/uploads/php/files/6ace572863bf886725681b2c3834fd15/98662964295.pdf
    • https://razvozka24.ru/wp-content/plugins/super-forms/uploads/php/files/22ee5e968a03de112590525fa8fa60ef/85880223155.pdf
    • https://ccveg.org/wp-content/plugins/super-forms/uploads/php/files/kt6v6hre8q1volsu6c5qs9u5vn/52382196005.pdf
    • https://www.perfumista.co.uk/wp-content/plugins/super-forms/uploads/php/files/163a824f00d720a1c6919df592f6511c/taretaruludip.pdf
    • http://wskinbody.com/data/boardData/files/kosarulizin.pdf
    • https://antoinepanau.com/wp-content/plugins/super-forms/uploads/php/files/a351a64b7d58d47510244b472ca5ffae/29029951312.pdf
    • https://nicemexico.net/wp-content/plugins/formcraft/file-upload/server/content/files/160898d188fef8---rolojoke.pdf
    • https://sandalyecenneti.com/wp-content/plugins/super-forms/uploads/php/files/v4vj0j53uuaoipt4ruu3bun79m/koxojufe.pdf
    • http://maxitelt.no/wp-content/plugins/formcraft/file-upload/server/content/files/160a796c73d067---subawo.pdf
    • https://evergreencans.com/userfiles/file/40675636330.pdf
    • http://hotelamadeustorino.com/userfiles/files/96381950261.pdf
    • http://www.thebetterinsurance.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c6b9a1dfaff---27333959796.pdf
    • https://ifacemount.com/wp-content/plugins/super-forms/uploads/php/files/irhb0t7pu592g9dl6g3n6qjv5m/71581825580.pdf
    • https://allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/9e29ebbc35a8e3b66e5f893a16a35153/ferijelulabaruga.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/GLLx1DTH0VQ/uplcv?utm_term=happy+new+year+poster+hd
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_011_off00066972.bin
0e4c629d13b8a0a8e4f00f9df749e85f10849d8704f94bcdf74a9979b1f47905		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x66972 10540 bytes
font_00_sfnt_off00062358.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62358 16792 bytes
font_01_sfnt_off00063b6a.bin
e7d2d2522cb4312f5277a2200d7e6036b6b074eed25fecec5cf942e608a71fb9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63B6A 17560 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.