PDF malware analysis — malicious · 01ad1d08f806e69e

MALICIOUS

PDF

84.7 KB Created: 2021-06-29 17:56:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-13

MD5: ec0ce415bfa3a6243bd9d53d699701c1 SHA-1: e2771cb9cd16a5c724ccf66112f53ccc3889ba7a SHA-256: 01ad1d08f806e69e254b3ce50247c662af6b15833d5c49e9f02ea4e34b6c9ffe

196 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains a large number of links pointing to compromised WordPress sites, indicating a link farm designed to distribute malicious content. The presence of 'cmdcm5d96urdsfu9euhb1tf64/13941338651.pdf' and similar patterns in the URLs suggests a coordinated effort to host malicious files. ClamAV detection and ML classification further support its malicious nature.

Machine Learning

Nyx PDF Classifier malicious score 0.9956

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://deurwater.com/wp-content/plugins/formcraft/file-upload/server/content/files/160afbf13333ce---5377107708.pdf In PDF document text
- http://www.meditt.com/wp-content/plugins/super-forms/uploads/php/files/sfrb1mfj7it1tkm99rpq8roovs/joronuxubawafowu.pdfIn PDF document text
- https://soba05.org/wp-content/plugins/super-forms/uploads/php/files/09cbba08df1540407da4a1ca4295cb86/zubigama.pdfIn PDF document text
- https://segurosjdd.com/wp-content/plugins/super-forms/uploads/php/files/4cmdcm5d96urdsfu9euhb1tf64/13941338651.pdfIn PDF document text
- https://motionslam.com/wp-content/plugins/super-forms/uploads/php/files/4b0734df8c76db526fc5969239753c41/67907846956.pdfIn PDF document text
- https://leesman.com/wp-content/plugins/super-forms/uploads/php/files/d451498577a824e2c71899796e102679/52419089119.pdfIn PDF document text
- https://www.hospedeagora.com.br/wp-content/plugins/super-forms/uploads/php/files/uq9u142fnjq5f70v8pfgnkkgqq/55212128889.pdfIn PDF document text
- https://upbfassadenbau.com/upload/file/vesozigemenajogiv.pdfIn PDF document text
- https://homini.eu/wp-content/plugins/formcraft/file-upload/server/content/files/16079bc9093527---zopawix.pdfIn PDF document text
- https://www.uniqueartzz.com/wp-content/plugins/super-forms/uploads/php/files/r5s5mtvtededfcs84ndkapkd44/jirizutovonagidomotuf.pdfIn PDF document text
- https://getlovebooks.com/wp-content/plugins/super-forms/uploads/php/files/3d27c01cad4afbf029f09e9b6fd265eb/rapomedov.pdfIn PDF document text
- http://www.pirac.org/wp-content/plugins/super-forms/uploads/php/files/3f8ca7ef6632a0870c5fc5375bf07caf/vosudavowa.pdfIn PDF document text
- https://bentzendesign.se/wp-content/plugins/formcraft/file-upload/server/content/files/1607bb5ab3552b---gepukale.pdfIn PDF document text
- http://velocimapper.com//webfiles/file/66632160352.pdfIn PDF document text
- http://www.rolstoellift.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f965322629---bilozufufalutefu.pdfIn PDF document text
- http://www.korayozelguvenlik.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c2d77ce26d2---3792995101.pdfIn PDF document text
- https://www.fifatravels.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ab47163d8e2---67438245364.pdfIn PDF document text
- https://suprizpin.com/calisma2/files/uploads/fapanizugisukisukeboji.pdfIn PDF document text
- http://allycatering.com/userfiles/finutafawa.pdfIn PDF document text
- https://miamiuniquelimo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160980ded6adfc---dupofotevivesabisub.pdfIn PDF document text
- http://pck.malopolska.pl/wp-content/plugins/super-forms/uploads/php/files/7f7a262d3fb60c46a174ebc17bcdd836/46897580696.pdfIn PDF document text
- http://df-2.de/images/daten/file/8848458114.pdfIn PDF document text
- http://www.idenet.net/wp-content/plugins/formcraft/file-upload/server/content/files/160ce12e52668f---votuzapesilobat.pdfIn PDF document text
- https://motionslamIn macro / runtime command snippet
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/DOqCt-cVA4I/uplcv?utm_term=how+many+fl+oz+are+in+a+quartPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e780.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE780	17360 bytes
SHA-256: `f27a0ea62207350c2065794d3dfaf82cfb701e10696ca05c22e1fc88e167c12b`
`font_01_sfnt_off000114ed.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x114ED	10704 bytes
SHA-256: `d5fa48e4b1ecdaecacdeb81026cd90612dcf09af58733940c504d7dd044a0b3e`
`font_02_sfnt_off00012d84.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12D84	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`

Open this report in the interactive analyzer, or submit your own file for analysis.