PDF malware analysis — malicious · 1028f1f3018adafc

MALICIOUS

PDF

190.2 KB Created: 2021-07-31 09:41:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-23

MD5: b943687c20df678bd707b027b319dcf0 SHA-1: 42e89566c876a2d7611b9e1ea7a702ada27ea830 SHA-256: 1028f1f3018adafc44b64bf9dc33b8435ee6a1e6987cbff768eaf5819129b484

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous embedded URLs, many of which point to compromised CMS upload directories or disposable hosting, suggesting a link farm designed to lure users to download further content. The ClamAV detection and ML classifier indicate a high likelihood of malicious intent, likely related to phishing or malware distribution.

Machine Learning

Nyx PDF Classifier malicious score 0.6354

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://bomnuocebara.com/quangbasanpham/app/webroot/upload/image/files/29444656236.pdf In PDF document text
- http://www.medicalalliedtraining.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a78183a1783---xitekolejipidizavoxosawik.pdfIn PDF document text
- http://naoshima-habitant.com/94898397598.pdfIn PDF document text
- http://elmiraclassiccountry.com/wp-content/plugins/super-forms/uploads/php/files/ehio14mfg2cjt81rgtlrm9bk13/24200957869.pdfIn PDF document text
- https://championsforchildren.org/wp-content/plugins/super-forms/uploads/php/files/089de3398a390ea3fdd565056895ab85/59890614797.pdfIn PDF document text
- http://photou.cc//ckfinder/userfiles/files/33832534248.pdfIn PDF document text
- https://lawrenceyezersky.com/userfiles/file/xorosutupanopalu.pdfIn PDF document text
- http://cybernet.asia/UserFiles/File/21157559952.pdfIn PDF document text
- https://www.criteriainvest.com.br/wp-content/plugins/super-forms/uploads/php/files/ae8uloqol22467gq35i0phus5k/83099489718.pdfIn PDF document text
- http://lisahyatthealth.com/wp-content/plugins/formcraft/file-upload/server/content/files/16085b94a00c71---zenejiwezomigejijul.pdfIn PDF document text
- https://skyzoan.com/cake/beta/userfiles/file/38029102399.pdfIn PDF document text
- http://zentrumok.com/userfile/files/42804585307.pdfIn PDF document text
- https://aljazeerahdrilling.com/userfiles/files/jenugudilumojisovili.pdfIn PDF document text
- http://leilehua76.com/clients/4/4d/4d80c013f15dbe3c797666a457780dca/File/sapetalopitokafoduxe.pdfIn PDF document text
- http://adance0112.com/upfile/editor/file/dejonegugobawo.pdfIn PDF document text
- https://olterus.info/contents//files/29304585249.pdfIn PDF document text
- https://www.dentaltaxpros.com/wp-content/plugins/super-forms/uploads/php/files/2ff8037e8fc9930371b6fae64814a60c/1897768383.pdfIn PDF document text
- http://pvsystreports.com/wp-content/plugins/super-forms/uploads/php/files/0tqjf1b79nvj7sco2q08hjdg32/melasova.pdfIn PDF document text
- http://dentalcenterstudio.it/userfiles/files/91652286654.pdfIn PDF document text
- https://istanajpdua.com/contents//files/92861092530.pdfIn PDF document text
- https://blueridgelightingandcontrols.com/wp-content/plugins/super-forms/uploads/php/files/ab896ed480cac2e72a5194db2efbad5c/vegipizaviwes.pdfIn PDF document text
- http://yuanjen.com/ckfinder/userfiles/files/69281553718.pdfIn PDF document text
- http://worthingtonpark101.com/userimages/55755002387.pdfIn PDF document text
- https://feedproxy.google.com/~r/skout/mBVl/~3/FevRqgeaUVY/uplcv?utm_term=magnus+chase+book+2+pdf+free+download+weeblyPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_008_off0002903c.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x2903C	22480 bytes
SHA-256: `bd2861374ac6c8527d26cac123bb1b6f23cdf674ae41d5ad59f920c1cb93bd15`
`font_00_sfnt_off000275da.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x275DA	11356 bytes
SHA-256: `2b5853d1769b292ad39a26a8299aeb5eae5b02eb027c86ba69038ec210b3df89`
`font_02_sfnt_off0002b789.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2B789	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`

Open this report in the interactive analyzer, or submit your own file for analysis.