Malicious PDF — malware analysis report

Static analysis result for SHA-256 f31909ca7f2f04c0…

MALICIOUS

PDF

129.1 KB Created: 2021-06-22 16:37:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14
MD5: 663f7f1eaed6469e195ef7fb83362775 SHA-1: 32141c8c8bcc3de50bccf5484b50e31555d7511a SHA-256: f31909ca7f2f04c02e364676b51ef7a6fb7b8917e37eb32db0b1ee7aeb5b515f
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links to compromised WordPress sites, suggesting a link farm designed to redirect users to malicious content. The ML classifier strongly indicated maliciousness. While no scripts were explicitly extracted, the PDF structure and embedded URLs point towards a phishing or malware distribution scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9455

Heuristics 4

  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jennysbooks.com/wp-content/plugins/super-forms/uploads/php/files/cfea15d6eea15c9f530249d740f25f1a/kexexejegepasowe.pdf In PDF document text
    • http://stopasbestos.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16094f75bd640f---potowitebafirefuteg.pdfIn PDF document text
    • http://allegroescrow.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609f6e353ff2a---poxefemesa.pdfIn PDF document text
    • https://www.blackandwhite-salon.com/wp-content/plugins/super-forms/uploads/php/files/d6ae23f8caeebf757d7d0582625820e9/foxudebunozugagut.pdfIn PDF document text
    • http://penoplex24.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1606cfc49199ac---sozuvijarubexe.pdfIn PDF document text
    • https://ailani.org/wp-content/plugins/super-forms/uploads/php/files/5b34e125adc5d48316af6048b7f106f2/kutodewidaxodid.pdfIn PDF document text
    • https://www.gsccn.it/wp-content/plugins/formcraft/file-upload/server/content/files/1608c342830a34---tibubavobewifinoxav.pdfIn PDF document text
    • http://fittbikese.hu/files/file/56838884701.pdfIn PDF document text
    • http://fincasotilloviejo.es/files/sotillo/_repo/file/fodemuzabikaniwavufapi.pdfIn PDF document text
    • https://1sis.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a7d311e282f---80183661808.pdfIn PDF document text
    • https://www.adcgrain.com/wp-content/plugins/super-forms/uploads/php/files/e0084a67db1bf0dbd2be5da14752abc8/25013572553.pdfIn PDF document text
    • https://primax.fr/wp-content/plugins/super-forms/uploads/php/files/lsev2jqsbvui6g99kfe941ajh3/tijiruxoludo.pdfIn PDF document text
    • http://www.altrus.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160a981d4380be---mabevubotugolavop.pdfIn PDF document text
    • http://www.oschouston.com/osc/wp-content/plugins/formcraft/file-upload/server/content/files/1609d5a6b21646---2769328948.pdfIn PDF document text
    • https://poolpoint.be/uploads/file/22182242441.pdfIn PDF document text
    • http://nktrading.qa/file/files/92431380573.pdfIn PDF document text
    • http://dollreunion2020.com/clients/4/43/4392dc7a9e9236654a628da0af121bbb/File/vijamodunuvuvabuvop.pdfIn PDF document text
    • https://reflexlighting.com/wp-content/plugins/super-forms/uploads/php/files/6f4128ee44549bf418163850995f6066/67270735851.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/6naE_Nh8_CY/uplcv?utm_term=you+have+the+right+to+remain+innocent+pdf+freePDF link annotation
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off0001f885.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1F885 3916 bytes
SHA-256: a30fb7fba5c8f2c3b96074966d042496cd34e3be29765e0119bc6f79110332c0
font_00_sfnt_off0001d8b8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1D8B8 4000 bytes
SHA-256: 6515aba1f4efebde30297dd7203469ecc1439625895cc941637737054f902152
font_01_sfnt_off0001e6c7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1E6C7 5260 bytes
SHA-256: 07bb1b8c85fb3a6897fc3ed05973bb0664d61a2aa18f5a766114c04f4da7b651

Open this report in the interactive analyzer, or submit your own file for analysis.