PDF malware analysis — malicious · 05c74f1e2f481c4c

MALICIOUS

PDF

73.6 KB Created: 2021-09-23 14:08:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 2e6e71e45bef8b196d8792a18d9a3422 SHA-1: 0b1b0f91f4e8d32e740c21ca650e088b49a47e6b SHA-256: 05c74f1e2f481c4cd6bfbc3c7939f81f856ec688d22ab8861392fe51e94a1064

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous external links, many pointing to compromised CMS upload storage or disposable hosting, suggesting a link farm designed to redirect users. The presence of these links and the PDF structure strongly suggest a phishing or malware distribution lure.

Machine Learning

Nyx PDF Classifier malicious score 0.9982

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://pypconsultores.mx/userfiles/file/67868386624.pdf
- http://wooshin.kr/uploaded/file/1839884041614899ad73bb1.pdf
- http://honeystraw.com/uploadfiles/file/48158867283.pdf
- https://fluffy-chins.com/images/file/sufozop.pdf
- http://www.acefence.com/wp-content/plugins/formcraft/file-upload/server/content/files/16141638fc2927---72848322884.pdf
- http://extreamtuning.ru/wp-content/plugins/formcraft/file-upload/server/content/files/16140f5b9af862---rugotukonex.pdf
- http://8njl.com/userfiles/files/gogazixopaganutefiviwi.pdf
- http://kameleonhastanc.hu/files/file/5524294120.pdf
- http://land89.com/ckupload/files/47336926081.pdf
- http://podarox.ru/public/files/godujagutarasevov.pdf
- http://agataklimowska.pl/userfiles/file/xusofejapafebezefa.pdf
- https://elperrocallejero.info/ckfinder/files/gogorefirojuwuvo.pdf
- https://wentworthre.com/wp-content/plugins/super-forms/uploads/php/files/3412820facede0fb56ed7ef2418cfe5d/pawekobomatuk.pdf
- https://ms2gacor.com/contents/files/6162862895.pdf
- https://www.techsrollout.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613838f3e05b2---63661969197.pdf
- http://www.thunderesp.com/ckfinder/ckfinder.htmlfiles/62844114123.pdf
- https://thesmithgrouphouston.com/wp-content/plugins/super-forms/uploads/php/files/478ebc14e538a6d01d6acc08162996fe/67786603883.pdf
- https://locktactyuma.com/ckfinder/userfiles/files/pofifazexekibudifaga.pdf
- https://photographerin.agency/wp-content/plugins/super-forms/uploads/php/files/mcu7s9r28vrprtmj5qi6t74af1/kozezuja.pdf
- http://isemya.by/modules/ariol/static/ariol/ckfinder/files/xademuruwolowabuzomu.pdf
- http://mousike.it/img_ins/files/8447871066.pdf
- https://angel-juicer.com/FileData/ckfinder/files/20210921_40CD50B123385A84.pdf
- http://brandweeramsterdamamstellanden.nl/userfiles/file/94177311763.pdf
- http://climacom.eu/userfiles/files/59458838031.pdf
- http://ueros.fr/admin/ckfinder/userfiles/files/ximagaxakofud.pdf
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/PmAiG5ZyT-k/uplcv?utm_term=good+witch+season+6+episode+1+free+online
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ba9b.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBA9B	16792 bytes
`font_01_sfnt_off0000d2ad.bin` `1cc99d97a036e3e5d2a6c39b4da883e254250541a88fd25e0957bb725b1a7b5c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD2AD	16740 bytes
`font_02_sfnt_off0000fe7b.bin` `2ef29743ea3b54d90573df1a725c376d4a9abac850e53d69cab98cb3023fadf4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFE7B	11064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.