PDF malware analysis — malicious · 11504a1112b5a62b

MALICIOUS

PDF

88.0 KB Created: 2021-06-30 11:57:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 5719d694b11972bc3b1be0fd5825aba9 SHA-1: 5819ea585732fdfcf8ec6dce61ab97623925c060 SHA-256: 11504a1112b5a62bd190b1e2936b8a26d647000bc00d0dc0d30658cb79ab765b

126 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The sample was flagged by ClamAV as Pdf.Phishing.Trojan and an ML classifier indicated a high probability of maliciousness. The PDF contains a link farm pointing to multiple compromised WordPress sites, likely intended to trick users into downloading a malicious second-stage PDF. No scripts were extracted, but the presence of numerous malicious URLs suggests a phishing or credential harvesting attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9942

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://training-solutions.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1607211c14e728---80949549869.pdf
- https://hsse.cl/files/20174409599.pdf
- http://muzeumostrowiec.pl/obrazy/file/39392508031.pdf
- http://gsoam.ge/wp-content/plugins/formcraft/file-upload/server/content/files/160773969922f4---webivixugarobagupikakesu.pdf
- http://antik-cafe-bergen.de/wp-content/plugins/formcraft/file-upload/server/content/files/160c6c33e66a0c---xuvavafinavevowumirimuviw.pdf
- http://amako-ra.com/wp-content/plugins/super-forms/uploads/php/files/e7181cdfc32400b296fcd4ee9b1e969c/32239636053.pdf
- https://veritiesinstitute.com/wp-content/plugins/super-forms/uploads/php/files/2b918f2728bf2f8fbfbc961d500460ee/98052431595.pdf
- http://sugarfree-gelato.com/upload/file/34269936114.pdf
- https://agenciaboom.com/wp-content/plugins/super-forms/uploads/php/files/1ghqbtks8n9us7l073puigbo81/selejuveduwepopava.pdf
- https://f1com.ge/wp-content/plugins/super-forms/uploads/php/files/3d619223feea8e97bea7a4976da5c46b/96487387955.pdf
- http://bahsclassof1965.com/clients/1/1d/1db829f64c2e26d3b32b12ccabba4d7c/File/3622098896.pdf
- https://promocionesnma.com/wp-content/plugins/super-forms/uploads/php/files/14aaf3ac162374bfce0a44f0bd2f26e4/gukajomadib.pdf
- http://www.uppld.org/wp-content/plugins/formcraft/file-upload/server/content/files/1608a540b8b5b6---fawenuvonasopugivopap.pdf
- https://deedpoll.sg/wp-content/plugins/super-forms/uploads/php/files/a5165d864c67aea9c910ec3fb67b73ca/xivapoluvugekekotur.pdf
- https://reifenscho.de/wp-content/plugins/formcraft/file-upload/server/content/files/160c6fa5e89ec1---kezufodefam.pdf
- http://totaleclipsenv.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608c6f999be9c---totitijor.pdf
- https://www.explosivo.gr/wp-content/plugins/super-forms/uploads/php/files/c71778acc53d7ac01c603a493954881b/40274124486.pdf
- https://cgeminfos.ma/upload/file/loditivinima.pdf
- http://kelvista.lt/images/files/42569054060.pdf
- https://vickers-electronics.co.uk/wp-content/plugins/super-forms/uploads/php/files/dce04e781068189243b3f31d2fa17502/nogarobapikaxajedazo.pdf
- https://yidinfo.net/wp-content/plugins/super-forms/uploads/php/files/8t0pj0sc4su2ullp5qkcnhac6c/xenefebapu.pdf
- http://amfmeg.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607d235b1c5d8---82493940861.pdf
- https://vidolamerica.org/wp-content/plugins/super-forms/uploads/php/files/1a5d2f75fb2ee0ec0b0b07336d014a7d/23162938901.pdf
- https://bikeid.net/ckfinder/userfiles/files/44521792884.pdf
- http://aircond.md/upload_fck/file/81078997234.pdf
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BkSY9tpko7c/uplcv?utm_term=how+to+open+two+pdf+documents+side+by+side
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f08d.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF08D	16792 bytes
`font_01_sfnt_off0001089f.bin` `86fa2773972ea0426a36d8058a63bea9913b2e45469a757f8c1191d46c0b8422`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1089F	18976 bytes
`font_02_sfnt_off00013988.bin` `fa01741d945000c68713e87dc05b2f955aaa5185f0a6f16310d312cb9e30aad8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13988	10904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.