PDF malware analysis — malicious · 135e65058e2f7c3d

MALICIOUS

PDF

77.6 KB Created: 2021-07-16 12:53:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-05

MD5: a11b8f55788ebb83d924611640bda6fc SHA-1: ad34d0ef080d25beb80cc1013ca03c9c2b6c5cf0 SHA-256: 135e65058e2f7c3df62171722643201e982ec08598f4d9c9be55bf55c3fac674

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was identified as malicious by ClamAV and an ML classifier. It functions as a link farm, containing numerous embedded URLs that point to compromised WordPress sites and other disposable hosting. These links likely serve as a lure for phishing attacks or to distribute further malware. The file's structure and the nature of the URLs suggest it is part of a campaign to redirect users to malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.7451

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://irlanc.ru/uplcv?utm_term=moment+of+inertia+of+triangle+about+neutral+axis PDF link annotation
- https://jdbailbonds.com/wp-content/plugins/super-forms/uploads/php/files/25cdd29aacdbd33b7e2cba2ab62620fc/77064347096.pdfIn PDF document text
- http://www.ponderosafestival.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a686d8afa98---nizumigebovodapigolubevof.pdfIn PDF document text
- http://ansonseatery.com/uploads/files/dudivug.pdfIn PDF document text
- https://agsposure.org/wp-content/plugins/super-forms/uploads/php/files/ab94a5261f0fa4b1cd770de0fb7acdd8/87232836294.pdfIn PDF document text
- https://www.advids.co/wp-content/plugins/formcraft/file-upload/server/content/files/1606cb8591a6ff---8585410997.pdfIn PDF document text
- http://bougerpourstarlight.ca/clients/c/c6/c668404594a1c08d975ab50c7bec58f6/File/50604588331.pdfIn PDF document text
- http://www.johnknox.ch/wp-content/plugins/formcraft/file-upload/server/content/files/160732b49401e7---27591999845.pdfIn PDF document text
- https://acgroupenterprise.com/userfiles/file/30223547202.pdfIn PDF document text
- http://www.norestim.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160b8f93686bd9---wodezilivif.pdfIn PDF document text
- http://etasystem.net/userfiles/files/92177061974.pdfIn PDF document text
- https://audit-advisers.com/userfiles/file/25712199752.pdfIn PDF document text
- https://agrachoff.ru/wp-content/plugins/super-forms/uploads/php/files/c757a4e7ca28e47afdce6926afa07ddc/ruxemirevazetinupi.pdfIn PDF document text
- https://www.engltg.com/wp-content/plugins/super-forms/uploads/php/files/3c39c34af3d66991b06a1dbe635b9f53/jovivunetemelulukunodix.pdfIn PDF document text
- http://mim2010.ru/userfiles/file/7065180329.pdfIn PDF document text
- https://vdbergelectro.nl/wp-content/plugins/super-forms/uploads/php/files/6ccf2dd6fa7821c97dcc96259f892d4e/letixavizozavirubimi.pdfIn PDF document text
- http://aliancegroup.su/wp-content/plugins/formcraft/file-upload/server/content/files/160cb07d81abd6---84678968644.pdfIn PDF document text
- http://www.sensible-seeds-premium.com/wp-content/plugins/formcraft/file-upload/server/content/files/16085248c40194---lukigefakemuli.pdfIn PDF document text
- https://dutchfansitenetwork.nl/ckfinder/userfiles/files/15100355421.pdfIn PDF document text
- https://mkting.com.co/wp-content/plugins/super-forms/uploads/php/files/1fccddf796a5ee4815975568ae5a3bcf/nojamuderaj.pdfIn PDF document text
- http://witnesstherealist.com/wp-content/plugins/super-forms/uploads/php/files/a833009e19a20315f5b6c43e15c43951/17799435363.pdfIn PDF document text
- http://extracam.es/app/webroot/arxius/file/gawegupubaxa.pdfIn PDF document text
- http://naturallymine-chicago.com/clients/867610/File/gekapulikibivizareg.pdfIn PDF document text
- https://www.hinogas.com/wp-content/plugins/super-forms/uploads/php/files/0ou5jb3cdvp9dd2rqghr3tr1u6/reninoxudexusoteridakij.pdfIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00011932.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11932	10892 bytes
SHA-256: `3f0cf7ee508465251eb5135fecc24d4d187e10199935724f1a41222e998f41a3`

Open this report in the interactive analyzer, or submit your own file for analysis.