PDF malware analysis — malicious · 0ec6a51df34fee7a

MALICIOUS

PDF

83.3 KB Created: 2021-10-07 15:06:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 90034aafd9f59adc5921a299107b4983 SHA-1: 09833edfa658305c7ef80abbe79099632a79fd94 SHA-256: 0ec6a51df34fee7aa1a7417c42a425b42a77afea9b9f4ff7cd9c6110a1ab3c1a

164 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The presence of embedded JavaScript and multiple heuristics indicating a link farm on potentially compromised CMS uploads strongly suggests malicious intent. The ClamAV detection and ML classifier further support this, pointing towards a phishing or malware distribution scheme. The embedded JavaScript likely facilitates the malicious activity, possibly by redirecting the user to a malicious site or downloading a secondary payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9974

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://tverzhilservis.ru/foktver.ru/ckfinder/userfiles/files/59280513878.pdf
- http://akgdsgfly.pretty-match.com/upload/files/sotelewemen.pdf
- https://alzubidi.com/userfiles/files/23155075928.pdf
- http://mirembeestate.co.ug/wp-content/plugins/formcraft/file-upload/server/content/files/161558ffd96235---gebudulidusosunejudubor.pdf
- https://completecollegestrategies.com/wp-content/plugins/super-forms/uploads/php/files/79684e1ae3aca758298ca610291b0e68/xubepugowodatibebosibadex.pdf
- http://gyndoktors.de/ckfinder/userfiles/files/44111128313.pdf
- http://ukwoodrecycling.com/userfiles/files/82189535211.pdf
- https://tongdaidoanhnghiep.com/app/webroot/upload/files/69300001033.pdf
- http://drsuthichai.com/userfiles/files/67211612330.pdf
- http://www.siscard.com/wp-content/plugins/formcraft/file-upload/server/content/files/1614d67fcb4810---vexabated.pdf
- https://opremazabebe.me/userfiles/file/nuwiwomepejanurapo.pdf
- https://taechoclub.com/FileData/ckfinder/files/20211006_DAA87627A31FBDFF.pdf
- http://xn--e1aazeoc7d.xn--p1ai/images/shared/file/kulabevimifomeg.pdf
- https://www.mppoa.cloudlinesystems.com/assets/ckfinder/userfiles/files/beguputododogagisamavota.pdf
- http://autosoftware.company/autoresponders_images/files/28857929239.pdf
- http://botosani.ro/img/uploads/file/23341076236.pdf
- https://petribax.com/userfiles/file/25972659505.pdf
- http://gabinetortodontyczny.eu/userfiles/file/54865696811.pdf
- https://burlingame.com/wysiwygfiles/file/87389654164.pdf
- http://www.yemany.com/yemfiles/files/93142208199.pdf
- http://kingsauto-bar.com/js/upload/files/96351676172.pdf
- https://thefertilizerproductionline.com/d/files/suroxejipunev.pdf
- http://irodaszer.lukinserv.hu/file/1526805507.pdf
- https://tecnicadovolante.com/images/file/29209099901.pdf
- https://feedproxy.google.com/~r/skout/mBVl/~3/PmAiG5ZyT-k/uplcv?utm_term=faulty+causal+reasoning+examples
- http://crossfit28.com.s125853.gridserver.com/siteuploads/editorimg/file/wirudemufanagowakufa.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ddbe.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDDBE	16792 bytes
`font_01_sfnt_off0000f5d5.bin` `de7df1c6342ee7d3e7ad549abe42736c3df06796a8d4f73604430f774ecf6723`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF5D5	11008 bytes
`font_02_sfnt_off00010f76.bin` `8d89fc7c24d91acec2c253c8d85bff9eed96ed40d0a4c73b712ecbee39e6f509`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10F76	18124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.