PDF malware analysis — malicious · 07475d24998be70d

MALICIOUS

PDF

81.1 KB Created: 2021-09-06 21:08:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: a29e2b0fbd934678606a89ddd6a9acd0 SHA-1: 6a724fc5471c3f89e1c3c3366d4cfd87bb02652e SHA-256: 07475d24998be70dfdbc2edbb567b675440af813ec31f814438a7290bb5ebea4

104 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded JavaScript and a significant number of external URIs, many of which point to compromised websites or disposable hosting. The ML classifier strongly indicates maliciousness, and the heuristics suggest the document is a link farm designed to redirect users to external sites, likely for phishing or malware delivery. No specific family could be identified.

Machine Learning

Nyx PDF Classifier malicious score 0.9974

Heuristics 6

PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://archism.ru/uplcv?utm_term=easy+jazz+christmas+piano+pdf
- https://motodubai.com/uploaded_images/files/706423592.pdf
- http://amoy-art.com/Upload/file/65779833208.pdf
- http://toshiba-center.ru/uploads/files/61848878582.pdf
- http://deurwater.com/wp-content/plugins/formcraft/file-upload/server/content/files/160baeb22c6e76---11807328001.pdf
- http://lukoilmarine.com/ckfinder/userfiles/files/ketutoxelawegiworemale.pdf
- https://rhdplumbing.com/wp-content/plugins/super-forms/uploads/php/files/2ea4c96ce155ff0b940c689ab9e58a45/68813926092.pdf
- http://veszpremkosar.hu/_user/file/saminesatupudofus.pdf
- http://inezorviskids.com/clients/37546/File/vowonemeseg.pdf
- https://inclinedigital.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608b17725aa78---mibine.pdf
- http://djarkitek.com/temp/vinney/HTML/userfiles/file/bexajagida.pdf
- https://implant-drill.com/userfiles/file/22091655705.pdf
- https://ccskin.com/geektic/files/24051122045.pdf
- http://standardamulet.com/files/files/rekuxiposupizame.pdf
- http://accessibilite-salle-eau.com/ckfinder/userfiles/files/delajemifosokik.pdf
- http://andreevmag.com/wp-content/plugins/super-forms/uploads/php/files/bcc4d0ad5b42867461f1fc5967eb9127/geban.pdf
- http://www.jacenter.org/js/ckfinder/userfiles/files/49454181401.pdf
- https://www.golddustdental.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d0cc1d95c75---73453278172.pdf
- http://dh-cell.com/ckfinder/userfiles/files/76322965555.pdf
- http://vitajeans.com/ckfinder/userfiles/files/56992401042.pdf
- https://kes-stv.ru/wp-content/plugins/super-forms/uploads/php/files/0b71545b014a7572ec4ed4be7f7dde3a/wikotobuzibufejodoxut.pdf
- http://bygreenpure.com/userfiles/file/1731012132.pdf
- https://www.fifatravels.com/wp-content/plugins/formcraft/file-upload/server/content/files/16092d373a0db1---65198124396.pdf
- http://terapeutickemasaze.eu/wp-content/plugins/formcraft/file-upload/server/content/files/1607b4bca29845---81230611053.pdf
- https://postscriptproductions.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c6b895865c---lajaso.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d95c.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD95C	16792 bytes
`font_01_sfnt_off0000f173.bin` `3e5218023b27f8075c9f2906ab1ca20f00b4b1392e67fc7ddf5582e0622b5a47`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF173	10992 bytes
`font_02_sfnt_off00010ad6.bin` `0fa2cc70c6e16a329ddf56d5ca4071c89fd34101e68ede5fc3878f4e260ece43`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10AD6	16840 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.