Malicious PDF — malware analysis report

Static analysis result for SHA-256 d4c8d909a5b12dcd…

MALICIOUS

PDF

68.1 KB Created: 2021-09-21 04:47:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: e4770aea6bd195411176949f11205df5 SHA-1: 7fc5f52d84906bbf9c21e24abfebebd310b6eebb SHA-256: d4c8d909a5b12dcd7a20374acd7289070c14e66743f8c283d7d7e0bc61880ad7
114 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF sample exhibits characteristics of a malicious document, including malformed streams and links to compromised websites. The heuristics indicate it functions as a link farm, directing users to potentially malicious content hosted on various compromised domains. The ML classifier also flagged this sample as malicious, increasing confidence in its threat.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7816

Heuristics 5

  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nomylo.ru/uplcv?utm_term=melhores+editores+de+fotos+pra+android PDF link annotation
    • https://nhaban24h.com.vn/wp-content/plugins/super-forms/uploads/php/files/1m89fkh8ge1jdjbqc61i70njnr/tapotalelafupadeb.pdfIn PDF document text
    • http://sherwoodonionfestival.com/ckfinder/userfiles/files/5908807406.pdfIn PDF document text
    • http://mineraux-et-lithotherapie.fr/ckeditor/upload/files/zomemupekowaxokato.pdfIn PDF document text
    • https://www.hdontheroadnapoli.it/wp-content/plugins/formcraft/file-upload/server/content/files/1613e7e4d9b261---70323450721.pdfIn PDF document text
    • http://zl369.net/userfiles/file/pajidadefox.pdfIn PDF document text
    • https://www.kadinlarsitesi.org/wp-content/plugins/formcraft/file-upload/server/content/files/16148eefaa647a---lilivosedoji.pdfIn PDF document text
    • http://thanhlamresort.vn/wp-content/plugins/formcraft/file-upload/server/content/files/161425140f3ee4---49253483709.pdfIn PDF document text
    • http://mcrlclient.gilcom.ro/ckfinder/userfiles/files/sitibezegeta.pdfIn PDF document text
    • https://menuiserie-sainte-anne.fr/userfiles/file/77949712983.pdfIn PDF document text
    • http://bloemenwinkelindex.nl/images/uploads/64598423690.pdfIn PDF document text
    • http://videocycling.info/files/file/gijozon.pdfIn PDF document text
    • http://exhibitionchannel.com/upload/67170948305.pdfIn PDF document text
    • http://studiorumeo.it/userfiles/files/wusipev.pdfIn PDF document text
    • http://fabrykakonwersji.pl/wp-content/plugins/super-forms/uploads/php/files/097b724aaa66bdce67c896aeb2bf4019/10108179985.pdfIn PDF document text
    • http://citra.cl/userfiles/file/88513002462.pdfIn PDF document text
    • https://popcouncilinstitute.org/wp-content/plugins/super-forms/uploads/php/files/0e90c54b8ace9a31986e48cf22881693/javowuvesepagak.pdfIn PDF document text
    • https://anzhero-sudzhensk.verlauf-ekb.ru/admin/ckfinder/userfiles/files/sanozo.pdfIn PDF document text
    • http://www.masozilina.sk/ckfinder/userfiles/files/92687437488.pdfIn PDF document text
    • https://globaldreamindia.com/webcms/file/tijutos.pdfIn PDF document text
    • https://gift-edu.ru/wp-content/plugins/super-forms/uploads/php/files/6637ad79bfa78205b0c05d67a9045ce3/12119752010.pdfIn PDF document text
    • https://etimes.mn/uploads/files/kunasapinegudi.pdfIn PDF document text
    • https://nullemont.fr/nullemont/ckfinder/userfiles/files/repifudazilorew.pdfIn PDF document text
    • https://penal-garazh.ru/files/foduxuxitowexalutamu.pdfIn PDF document text
    • http://szybkieprawko.pl/szybkieprawko.pl/user/admin/fck/file/babiwiw.pdfIn PDF document text
    • https://aptitudeclass.com/ckfinder/userfiles/files/19906288653.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e059.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE059 20184 bytes
SHA-256: a88258d1bf1358bde17bd02a8c0a3691b4f8bcd5b9b1e4bde20e57f785b3f131