PDF malware analysis — malicious · 0ceaaa245d6a0cfc

MALICIOUS

PDF

74.8 KB Created: 2021-09-16 03:45:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24

MD5: 84cc66d676b881e6780b2c1a93e4cd8d SHA-1: 571a6b5c0040f9b622eebb2f8d5806a1e1bd44c0 SHA-256: 0ceaaa245d6a0cfca98332fbf0e05f01942d3f15c0e3fad467ae15392866ca72

132 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript and numerous external links, many of which point to compromised WordPress sites or disposable hosting, indicating a link farm designed to redirect users. The ClamAV detection as 'Pdf.Phishing.Trojan' strongly suggests a malicious intent, likely phishing or malware distribution. The embedded JavaScript is likely used to facilitate the redirection or exploit vulnerabilities.

Machine Learning

Nyx PDF Classifier suspicious score 0.4750

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://stotex.rs/files/vagojawogavunufuwugomip.pdf In PDF document text
- http://aleshashop.net/uploaded_files/userfiles/files/xezidupekitirikepumusuma.pdfIn PDF document text
- http://handgun.ee/media/file/tuxumipukageg.pdfIn PDF document text
- http://hoclaixebinhthuan.com/upload/contentFile/file/mowufomoxolamunugikuzines.pdfIn PDF document text
- http://ammk.sk/userfiles/file/66346893045.pdfIn PDF document text
- https://www.jaegeraviation.com/ckfinder/userfiles/files/rixizorow.pdfIn PDF document text
- http://transchem-tech.com/Uploadfiles/files/50573075994.pdfIn PDF document text
- http://www.luminicaambiental.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613d39bbae638---96742485001.pdfIn PDF document text
- http://northmarking.com/userfiles/files/puxulukaxul.pdfIn PDF document text
- https://yenicekentkaplicasi.com/userfiles/file/lagunurefe.pdfIn PDF document text
- http://strahovka66.ru/userfiles/file/45136120214.pdfIn PDF document text
- http://studiozammuner.eu/userfiles/files/voxeguduzuzopudamewi.pdfIn PDF document text
- http://capitaldanceacademy.com/userfiles/files/zokonokika.pdfIn PDF document text
- http://www.hptindia.com/wp-content/plugins/formcraft/file-upload/server/content/files/16141fea2dd20a---wolegivoz.pdfIn PDF document text
- http://mail-ex.net/userfiles/file/xeloxo.pdfIn PDF document text
- https://latgalesamatnieki.lv/files/file/19003113397.pdfIn PDF document text
- https://hobbypet.cz/files/file/91024633113.pdfIn PDF document text
- http://indigobaby.eu/upload/files/13117263159.pdfIn PDF document text
- http://pkynfe.net/userfiles/file/dinarapopififosigojivojam.pdfIn PDF document text
- https://jamiatulbanat.in/wp-content/plugins/formcraft/file-upload/server/content/files/1613fb863841d2---38680314745.pdfIn PDF document text
- https://www.taxiserviceh24.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613db60a61cb5---posupekizaseli.pdfIn PDF document text
- https://selectwifi.com/wp-content/plugins/formcraft/file-upload/server/content/files/16141993e58e06---tofomilenuvaganatibo.pdfIn PDF document text
- http://quimis.net/js/ckfinder/userfiles/files/27969649646.pdfIn PDF document text
- http://ipvoicenj.com/wp-content/plugins/formcraft/file-upload/server/content/files/16140f36a2a02c---wikawaxusuva.pdfIn PDF document text
- http://karthikeyanjayaram.com/userfiles/file/rezinegofonobi.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/FevRqgeaUVY/uplcv?utm_term=new+window+shortcut+chromePDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d6be.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD6BE	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_01_sfnt_off0000eed0.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEED0	16888 bytes
SHA-256: `f802025f710d12735b238a3e4a9aedb4ccc83ac3a8d06428b145438295b883dd`

Open this report in the interactive analyzer, or submit your own file for analysis.