PDF malware analysis — malicious · 096f0fd8fc29c7f9

MALICIOUS

PDF

77.3 KB Created: 2021-06-25 00:21:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-12

MD5: 5fac4fc8f378852b5df416c3bf45c96a SHA-1: 3e1e93cae2b3bf31b6adff53297da2979edcf7ce SHA-256: 096f0fd8fc29c7f9c2b33f484d516ba88da3b29846013b7da39730589f99a378

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link farm pointing to numerous compromised CMS upload directories, suggesting a phishing or SEO poisoning campaign. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a malicious document designed to redirect users to potentially harmful content.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://wib24-admin.de/uploads/file/57423323965.pdf In PDF document text
- http://limpiasol.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608b85cf0e688---14025629914.pdfIn PDF document text
- http://epoetryworld.com/clients/53741/File/puwusewupos.pdfIn PDF document text
- https://alcc.vn/wp-content/plugins/super-forms/uploads/php/files/6th6ug55lsn4phgtegt1qls1q4/raxonivej.pdfIn PDF document text
- http://zonazero.es/userfiles/file/50634556244.pdfIn PDF document text
- http://reiki-roots.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160c8e9815b31b---fixegogo.pdfIn PDF document text
- http://www.k-24.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b472e8b5fed---99305291817.pdfIn PDF document text
- https://iominneapolis.com/wp-content/plugins/super-forms/uploads/php/files/867c821498ee3b48e7cc14cbcb307ed0/73982654490.pdfIn PDF document text
- https://www.davinci.dk/wp-content/plugins/formcraft/file-upload/server/content/files/1607267970a18f---98188958195.pdfIn PDF document text
- http://aaaexpressheating.com/userfiles/file/piwowuxaxedibowinutuz.pdfIn PDF document text
- https://viajespereira.com/wp-content/plugins/formcraft/file-upload/server/content/files/16093f7392192b---28314948443.pdfIn PDF document text
- https://aguiapromocional.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160bb685d2fa57---9466633249.pdfIn PDF document text
- https://koetec.com/home/~ptow/public_html/ckfinder/userfiles/files/widiwejokokefubu.pdfIn PDF document text
- http://scissortailfarms.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609434efc98ce---97292777766.pdfIn PDF document text
- http://cricalliance.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a14888a5c21---bazuxajuse.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/A3Ryygt5BCM/uplcv?utm_term=twilight+saga+pdf+booksPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f24a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF24A	5452 bytes
SHA-256: `43b245e9d6631eaf850b8dfc8cd392a04fed1b88a6e214022e3208d02eb0e871`
`font_01_sfnt_off000104e7.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x104E7	10476 bytes
SHA-256: `e6eadb0a10732d578347601436faf35496ddf3b1b69e462049c21f754a99675d`

Open this report in the interactive analyzer, or submit your own file for analysis.