PDF malware analysis — malicious · f92003f5a9b41b1a

MALICIOUS

PDF

79.4 KB Created: 2021-10-14 01:30:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: b86fa40290917edfbb3aa7ba8ff39eb0 SHA-1: 117409e0ad73a30c49437eadae3ad65583c1d5ee SHA-256: f92003f5a9b41b1abb37bd12f7c25338deada9e2e585bbef12dbac9f5dd66a6e

104 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and a significant number of external links, many of which point to compromised WordPress sites. These links appear to form a link farm, a common tactic to obscure the final malicious destination or to distribute malware. The ML classifier strongly indicated maliciousness, supporting the interpretation of these links as part of a malicious campaign.

Machine Learning

Nyx PDF Classifier malicious score 0.9911

Heuristics 6

PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.iamgoingto1996.com/wp-content/plugins/formcraft/file-upload/server/content/files/1614138098f257---potikatowutatizi.pdf
- https://tradingphrases.com/userfiles/files/xiranotojuzab.pdf
- http://protech.com.ng/wp-content/plugins/formcraft/file-upload/server/content/files/161581d3e1fd0b---56588192013.pdf
- http://cy2hand.com/userfiles/88136598955.pdf
- https://www.mercato.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/161533b6c5d328---16471171584.pdf
- http://lasantitosrestaurant.com/userfiles/file/85427877262.pdf
- http://classiccar-jp.com/js/upload/files/63438940335.pdf
- http://przedszkolenisko.pl/userfiles/file/tesidalesot.pdf
- http://culbertsonlawyer.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/75325017468.pdf
- http://jgbt.us/pds/userfiles/files/lonidepefe.pdf
- http://immobilieninvestors.de/userfiles/file/lodakifumebe.pdf
- https://www.aicsmindia.org/ckfinder/userfiles/files/jakaguvomijuvinakivu.pdf
- http://zhongjiukeji.com/upload_fck/file/2021-10-10/20211010103204204308.pdf
- http://taiwan-tsai.com/upload/files/70648266282.pdf
- http://clarksville.net/wysiwygfiles/file/marorululif.pdf
- https://letstravelforacause.com/miet/assets/files/78575745254.pdf
- http://feach.ie/images/uploads/file/zofalewikerutugojox.pdf
- https://kimtuong.vn/isc/public/files/fckupload/file/30399731899.pdf
- https://emenu.hu/editor_up/21527624790.pdf
- http://rensind.com/upfolder/e/files/20210924175358.pdf
- https://hps-gruppe.com/wp-content/plugins/super-forms/uploads/php/files/3kr44queof379hpm09m7mn38fv/rezaba.pdf
- https://guadix.co/ckfinder/userfiles/files/vuliwukujifek.pdf
- https://skatrip.com/basefile/skatripcom/files/gobivupoxukekitibelixim.pdf
- https://hoya.hr/UserFiles/file/31756202817.pdf
- http://www.huescalamagiaenfotos.com/userfiles/files/17162508532.pdf
- http://freeware-software-download.de/uploads/editor/file/kebipuwopodokukujigisof.pdf
- http://greenbiotech.vn/uploads/userfiles/file/sebuseguriva.pdf
- https://feedproxy.google.com/~r/Gsjc/~3/xPAns0MRe5M/uplcv?utm_term=principle+of+mathematical+induction+examples
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000caf2.bin` `a9ab9676243a0459d5077f01022e690cbbab427c89c07c7438972ca4e36809f6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCAF2	11088 bytes
`font_01_sfnt_off0000e49a.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE49A	16792 bytes
`font_02_sfnt_off0000fcac.bin` `6f50dd2d2daebd1e0c5026940292c376b82324adca6a3b88f96cd9989799780c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFCAC	19224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.