Malicious PDF — malware analysis report

Static analysis result for SHA-256 e039c6080379b691…

MALICIOUS

PDF

105.8 KB Created: 2021-08-12 15:34:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: 4d243e45992f345ec6704e1482dd5392 SHA-1: d1c20750c00133901bbe63172a21bf32c6c7eb71 SHA-256: e039c6080379b69110b805d129faf0a4d408a5a9abadd0a9923b8a1e39270d07
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous embedded URLs, many pointing to compromised WordPress sites, suggesting a link farm or redirection scheme. The ML classifier strongly indicates maliciousness, and the presence of external URIs and link farms points towards a tactic to distribute further malicious content or manipulate search engine results. No scripts were extracted, but the overall structure and URL patterns are indicative of a malicious distribution or SEO poisoning campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 6

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://krisoc.ru/uplcv?utm_term=creepy+love+full+apk+2019 PDF link annotation
    • http://snookerfootball.eu/wp-content/plugins/formcraft/file-upload/server/content/files/160a09e9cf36eb---96995067790.pdfIn PDF document text
    • http://www.wallisandemmanuel.com/wp-content/plugins/formcraft/file-upload/server/content/files/16095b786808d9---fubisevo.pdfIn PDF document text
    • https://purpleleafestatebuyers.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ac5f1b26176---19034145715.pdfIn PDF document text
    • http://bright-inter.com/file_media/file_image/file/fogejozo.pdfIn PDF document text
    • http://www.wallisandemmanuel.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bcf3ef17bb4---seketesezuge.pdfIn PDF document text
    • https://hcs1000.org/wp-content/plugins/super-forms/uploads/php/files/e489853fcdc0597a903d015da1cf09c9/todaligotifoxojop.pdfIn PDF document text
    • https://www.ayersworthglen.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c2a16e5942---lowap.pdfIn PDF document text
    • http://kino-profi.com/wp-content/plugins/super-forms/uploads/php/files/93a267dfc20b783a143c4f80a39c52cd/94119076794.pdfIn PDF document text
    • https://xn--nmqu14inmf.com/upload/files/vilanilebom.pdfIn PDF document text
    • http://botosani.ro/img/uploads/file/472267758.pdfIn PDF document text
    • http://drshapard.com/clients/73598/File/febejutodonidimuxasibor.pdfIn PDF document text
    • http://eortak.com/img/fck_temp/file/lakalojixise.pdfIn PDF document text
    • https://searchlink.org/userfiles//file/64027071917.pdfIn PDF document text
    • http://suportti.com/wp-content/plugins/formcraft/file-upload/server/content/files/16105ee879bc61---xalinijoxobowabinegewig.pdfIn PDF document text
    • https://blackknowledge.com/wp-content/plugins/super-forms/uploads/php/files/92ce00632db838da3efc95f148c0fb9b/pumupebemude.pdfIn PDF document text
    • http://verkoop-je-wagen.be/wp-content/plugins/formcraft/file-upload/server/content/files/16095760b0d1bb---27152780763.pdfIn PDF document text
    • http://watch62.ru/files/files/89531835339.pdfIn PDF document text
    • https://truonggiangcompany.com/userfiles/file/sotobelopuvamivoxo.pdfIn PDF document text
    • https://paidionresearch.com/userfiles/files/29292302808.pdfIn PDF document text
    • https://centar-znr-zop.hr/wp-content/plugins/formcraft/file-upload/server/content/files/1606f71a174a66---36917892376.pdfIn PDF document text
    • https://siphouse96.com/wp-content/plugins/super-forms/uploads/php/files/0606729a6ae35fa5695a5ad75a8dcd07/wuzinireseketawafu.pdfIn PDF document text
    • https://peptidturkiye.com/ckfinder/userfiles/files/vuwademuj.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000116d5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x116D5 18912 bytes
SHA-256: b74d600877af88ecb0e983c8162f2d46a3db80cde0945d0a7df63a39733e6ffd
font_01_sfnt_off00014749.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14749 16160 bytes
SHA-256: 27fa49ca30b1f57c6e4f8b99ad1f73ead7010ce1f191e20d716503af09158f46
font_02_sfnt_off00015cb9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15CB9 2344 bytes
SHA-256: 8b78151142c18bd610719da7b6149097165db9dc1b426d1cdbed7e647708a50b
font_03_sfnt_off0001670c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1670C 10756 bytes
SHA-256: e442595b38c889c6093f8ea388eed55388431c60b7f312b95b24f1ec7fa5cbdc
font_04_sfnt_off00018013.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18013 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1