PDF malware analysis — malicious · 0e829c0d0646520a

MALICIOUS

PDF

86.2 KB Created: 2021-06-27 19:11:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-02

MD5: b563ccd2fb5b4f74369841de09a4f390 SHA-1: 21364328dbc41967ed27aed9c7b26310fd41c87c SHA-256: 0e829c0d0646520ad2db2cc8c9c2c2c15c53657847a67c852b9bf740518848a5

124 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link

The PDF file contains numerous embedded URLs, many of which point to compromised WordPress installations or disposable hosting, indicating a link farm designed to redirect users. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports a malicious intent. The primary goal appears to be directing users to potentially malicious or phishing websites.

Machine Learning

Nyx PDF Classifier suspicious score 0.3632

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://abstractcomplexx.com/wp-content/plugins/super-forms/uploads/php/files/e51e1bf10b69ccadd743405b830abddd/80552187026.pdf In PDF document text
- http://yfatc.com/userfiles/file/notexobodabipugomokizok.pdfIn PDF document text
- https://drmiamiconnect.com/wp-content/plugins/super-forms/uploads/php/files/6c1be179e780edd985d4626bdb55ea09/6664758738.pdfIn PDF document text
- http://www.leesii.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c7b404edfe1---fegop.pdfIn PDF document text
- https://rugsinc.in/UserFiles/files/gugowusezimifanibakidudaj.pdfIn PDF document text
- http://ziepniekkalns.lv/wp-content/plugins/formcraft/file-upload/server/content/files/160900cae2f7f9---xavevurozijibosas.pdfIn PDF document text
- https://kantankacreative.com/wp-content/plugins/super-forms/uploads/php/files/6d75d115671cf6ece0fa7eabfc2701b2/82140879761.pdfIn PDF document text
- http://aksaaydinlatma.com/img/editor/image/file/natoku.pdfIn PDF document text
- http://kraljicabih.com/wp-content/plugins/formcraft/file-upload/server/content/files/16095a304218f1---pulekojunazekitot.pdfIn PDF document text
- https://carpanea.it/wp-content/plugins/super-forms/uploads/php/files/584eb2cef7076e72a79bc4a8fe2aef3c/tavofebonel.pdfIn PDF document text
- http://aczelzalog.hu/tmp/xuzawijabirufenukumobala.pdfIn PDF document text
- https://nobleanimalsanctuary.org/wp-content/plugins/super-forms/uploads/php/files/tmp/takazumolugigev.pdfIn PDF document text
- http://jinanxintiandi.com/userfiles/files/voruxukuzejubuv.pdfIn PDF document text
- http://www.lightingandhvacexpo.com/wp-content/plugins/super-forms/uploads/php/files/c36b86691c24b265432c4bba5d0b110a/tevebilabitakesofed.pdfIn PDF document text
- http://big-blue-bus.com/pics/fotos/1/file/6091725693.pdfIn PDF document text
- https://peterdegendt.be/file/42979189765.pdfIn PDF document text
- https://asi-filter.pl/files/file/rabugenanisuxefetixi.pdfIn PDF document text
- https://teenvolunteer.org/wp-content/plugins/super-forms/uploads/php/files/37c8a6cde46bec2afdea811e4c62f58c/5670092066.pdfIn PDF document text
- https://www.sblending.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160712e3fca4ec---75590746803.pdfIn PDF document text
- https://bamfieldrental.com/userfiles/file/25925928330.pdfIn PDF document text
- https://www.clubmanizales.com.co/wp-content/plugins/formcraft/file-upload/server/content/files/1606cc0df6ab4f---7162420900.pdfIn PDF document text
- http://aiskreunion.com/clients/b/b4/b417c2091670ce0b0d78f4b231aea02c/File/13746292306.pdfIn PDF document text
- https://dacinsara.ro/fckfiles/file/pegewikilog.pdfIn PDF document text
- http://bioterapiazabiegi.pl/obrazy/file/93213162297.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/LPIa9PGmDLg/uplcv?utm_term=happy+easter+2020+datePDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00010287.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10287	17648 bytes
SHA-256: `0190116ab9952645dc89dc127ccd7ace4d0620c3cda3545e8bc269bd4d2d567d`
`font_01_sfnt_off0001308f.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1308F	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`

Open this report in the interactive analyzer, or submit your own file for analysis.