Malicious PDF — malware analysis report

Static analysis result for SHA-256 db854f5b54f2ff6c…

MALICIOUS

PDF

64.0 KB Created: 2021-06-30 08:56:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-29
MD5: e3eabb746ad2c812d36fe0b3fbd391cb SHA-1: 2143739a747a6e4d30cc6398093ab80e89f002ba SHA-256: db854f5b54f2ff6c150f22fe227bb1b91d2c33c4d4ad0a9423905954e6d46a07
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous links pointing to compromised WordPress sites, indicating it's designed to lead users to malicious content. The ML classifier also flagged this PDF as malicious. While no scripts were directly extracted, the structure and heuristics strongly suggest a malicious intent to redirect users, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8555

Heuristics 4

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://archism.ru/uplcv?utm_term=2020+payroll+deductions PDF link annotation
    • https://gdr.co.il/wp-content/plugins/super-forms/uploads/php/files/65fd4d9411092c5e7747c64814fcf649/fetepurozoxunixajuwoxoki.pdfIn PDF document text
    • https://drainscovers.com/wp-content/plugins/super-forms/uploads/php/files/d36094b4e896d5f8751ea15c3044fe37/ravadad.pdfIn PDF document text
    • https://fiambreszav.com/wp-content/plugins/super-forms/uploads/php/files/6789ca8358a78856c837475284cbe385/14768077839.pdfIn PDF document text
    • http://allprintusa.com/admin/images/file/76414142910.pdfIn PDF document text
    • http://raduzhniy.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b31f0c94955---batufigepetejapude.pdfIn PDF document text
    • http://www.ncstarim.com.tr/wp-content/plugins/super-forms/uploads/php/files/1kag18vrck4rd5q2rknvv4sft5/35937300330.pdfIn PDF document text
    • https://www.accidentinjuryalbuquerque.com/wp-content/plugins/super-forms/uploads/php/files/bs019sqim7s3m4nbjlrnbqv65k/90445547814.pdfIn PDF document text
    • http://wrhs1967.org/clients/6/61/617565fc8afb9cc6d18abf932d248b7a/File/19940910537.pdfIn PDF document text
    • https://getlovebooks.com/wp-content/plugins/super-forms/uploads/php/files/5fffcd93c1e696aa6ffb64adcb5c1051/gujanizulexuritojune.pdfIn PDF document text
    • http://vankouwenenmastop.nl/UserFiles/file/76075340458.pdfIn PDF document text
    • http://www.reroofingbrisbaneqld.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16090659446fcb---45518168939.pdfIn PDF document text
    • https://www.taxiserviceh24.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a97ecae8ad0---zawukuveg.pdfIn PDF document text
    • https://www.asahinafunnels.com/wp-content/plugins/super-forms/uploads/php/files/4sbc9ai7224nustilllkkkejdk/bisakodasufob.pdfIn PDF document text
    • http://dichvu12h.net/userfiles/file/98986227727.pdfIn PDF document text
    • https://twfern.org/upload/ckfinder_temp/files/20210527202947.pdfIn PDF document text
    • https://humantouchtranslations.com/wp-content/plugins/formcraft/file-upload/server/content/files/1/1609beb1cd94d9---zatelizuzavese.pdfIn PDF document text
    • http://www.theagentpipeline.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a85f0caa912---42881862130.pdfIn PDF document text
    • http://global-gypsum.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609305f0ba0ae---41988790385.pdfIn PDF document text
    • https://www.alpha-dynamics.gr/wp-content/plugins/formcraft/file-upload/server/content/files/160d38d9131665---59942904261.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df3f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDF3F 10868 bytes
SHA-256: b466bc0ee49ffd2adac8bc81f643fb15fb41326f7495f10ea19a570071660348

Open this report in the interactive analyzer, or submit your own file for analysis.