Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1731ade4bb94d94…

MALICIOUS

PDF

73.9 KB Created: 2021-07-16 16:03:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: aad18af9e98ad3462e3c21c8b2fea567 SHA-1: 2dd14b4f7f7fba41d64338d21a6d347353af229a SHA-256: f1731ade4bb94d948039deb0264c5be65a9f803508747d67498f7587bafd7b10
116 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous links to compromised WordPress upload directories, suggesting an attempt to host malicious files or redirect users to phishing sites. The 'SE_CALLBACK_LURE' heuristic indicates a potential callback phishing or tech-support scam pattern. Although no scripts were explicitly extracted, the nature of the links and the ML classifier's high confidence score point towards malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9951

Heuristics 6

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://melissajacksonmd.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608560639e90e---bafewadewabamig.pdf In PDF document text
    • http://lalitas-thaimassage-spa.de/wp-content/plugins/formcraft/file-upload/server/content/files/1609cc4b34f63b---2475197828.pdfIn PDF document text
    • https://amadesafar.ir/basefile/amadesafarir/files/rulupebujezukureko.pdfIn PDF document text
    • http://www.rolstoellift.com/wp-content/plugins/formcraft/file-upload/server/content/files/160adf481b2d7a---82818641865.pdfIn PDF document text
    • http://portalcom-b2b.es/img/user///file/_0074787001625285968.pdfIn PDF document text
    • http://www.segurosfacility.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607e1ca190acd---jorifujalatib.pdfIn PDF document text
    • https://homecareangels.ca/files/files/files/46329401072.pdfIn PDF document text
    • https://goldengrowers.com/wp-content/plugins/super-forms/uploads/php/files/24f9c7e13a3bc8651f600125f60e0290/59001865420.pdfIn PDF document text
    • http://modnyi-buket.ru/uploads/files/44358926032.pdfIn PDF document text
    • https://lakeshoresmilesdentistry.com/wp-content/plugins/super-forms/uploads/php/files/h48aak6dg3t8v9paggeiiktk43/53438812660.pdfIn PDF document text
    • http://apsons.eu/files/file/wiwuw.pdfIn PDF document text
    • http://www.loockuniformes.com.br/home/wp-content/plugins/formcraft/file-upload/server/content/files/160a44144a35ad---pudir.pdfIn PDF document text
    • https://bcbc3399.com/upload/files/xabagesexivimojig.pdfIn PDF document text
    • http://automotiveenergy.cz/userfiles/file/gezokawelamujuzutiritug.pdfIn PDF document text
    • https://www.colegiodesafio.net/home/wp-content/plugins/formcraft/file-upload/server/content/files/160b7480e855fa---ruximejafazupogimu.pdfIn PDF document text
    • http://cissi.it/userfiles/files/76734590838.pdfIn PDF document text
    • http://ontheedgeofnow.com/wp-content/plugins/formcraft/file-upload/server/content/files/160837ea23bfef---17226025550.pdfIn PDF document text
    • http://www.johnknox.ch/wp-content/plugins/formcraft/file-upload/server/content/files/160891029d778f---66009279568.pdfIn PDF document text
    • https://www.hauptsache.cc/wp-content/plugins/formcraft/file-upload/server/content/files/160a03c97d4ca1---7806852063.pdfIn PDF document text
    • http://archiwum.wyryki.eu/admin/ckfinder/userfiles/files/67827177981.pdfIn PDF document text
    • https://beautifullifeuk.com/wp-content/plugins/super-forms/uploads/php/files/04f4641145d52bb422b13604979d1c41/4634467274.pdfIn PDF document text
    • http://visit-pune.com/userfiles/file/memirap.pdfIn PDF document text
    • http://sbhs1967.com/clients/8/89/8985ce50e7417da620f75e2af787291b/File/69807428725.pdfIn PDF document text
    • https://cqc-material.com/app/webroot/userfiles/files/125296695.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1xuhb7AK25c/uplcv?utm_term=building+construction+act+1952PDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bedf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBEDF 11040 bytes
SHA-256: a83e7cd3c21fa446936318b3065091d4496b736d9eb9351a2395e1fadad0889b
font_01_sfnt_off0000d89c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD89C 16244 bytes
SHA-256: 671f0741bdf4b8b19b6a7aa134abfaa2ea9ec216a5e1223b3ba73cc0ef20ac7c
font_02_sfnt_off00010282.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10282 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1