PDF malware analysis — malicious · 139715fbc73d18d0

MALICIOUS

PDF

95.2 KB Created: 2021-07-30 00:33:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12

MD5: 542cfffb5feb658f67e04096ecda113e SHA-1: 2a4ff34ea07dfa37bf0c5b540ba54d1908187427 SHA-256: 139715fbc73d18d0650c1956d76a3523905badd5780f815a6148093e27a59115

196 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

This PDF document was flagged by a machine learning classifier and ClamAV as malicious. It contains a 'Clipboard command execution lure' heuristic, indicating it instructs the user to copy and paste content into a shell, a common technique for executing malicious commands. The document also hosts numerous links to potentially compromised WordPress sites, suggesting a phishing or malware distribution attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9855

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE

Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://insights3.com/wp-content/plugins/super-forms/uploads/php/files/ddc4431d2b495489f37d6d4ffa594a47/46653112516.pdf In PDF document text
- https://www.avenueroadadvertising.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608e2755bfbf0---kelovewegozenin.pdfIn PDF document text
- http://khachsansapa.vn/webroot/img/files/45853292407.pdfIn PDF document text
- https://www.vedaaz.com/wp-content/plugins/super-forms/uploads/php/files/0a032b95f3c2d944ac839155522723e3/87874931402.pdfIn PDF document text
- https://holzhaus-suedtirol.it/wp-content/plugins/formcraft/file-upload/server/content/files/160790dcde83f9---96778540806.pdfIn PDF document text
- http://automotiveenergy.cz/userfiles/file/mimisuloxedeg.pdfIn PDF document text
- http://imagespa.mx/wp-content/plugins/formcraft/file-upload/server/content/files/1607949f815637---vinemalebasajowamekiti.pdfIn PDF document text
- http://gallery4walls.com/upload/editer/file/81163758893.pdfIn PDF document text
- http://rorolaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/jofatelojonate.pdfIn PDF document text
- https://oriental-kitchens.com/userfiles/files/xaxijivenemake.pdfIn PDF document text
- https://empylean.com/wp-content/plugins/super-forms/uploads/php/files/sn7cr0m2t1at0pk5get3b7gduh/8169361788.pdfIn PDF document text
- https://jfefood.com/wp-content/plugins/super-forms/uploads/php/files/189f121310131ad16bf4d65059f70178/78800056260.pdfIn PDF document text
- http://patanamachine.com/imgUpload/files/95534414793.pdfIn PDF document text
- https://ventana-sur.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608f759be9939.pdfIn PDF document text
- http://autofulltravel.com/userfiles/files/19881962319.pdfIn PDF document text
- https://rajakedua.com/contents//files/forebulana.pdfIn PDF document text
- http://lavera.it/wp-content/plugins/formcraft/file-upload/server/content/files/160a8fe57c4c82---xizasovabedotewuto.pdfIn PDF document text
- http://staropolski.net/Upload/file/96794347196.pdfIn PDF document text
- http://www.argentum.com/wp-content/plugins/super-forms/uploads/php/files/4qdfs09c6v6uhmlk83c40lm74l/78940178875.pdfIn PDF document text
- https://bellevuecommunityfoodbank.org/wp-content/plugins/super-forms/uploads/php/files/cbfe70d795aba3329dfca43e1e47fc78/vakebadapama.pdfIn PDF document text
- http://klhl.com/userfiles/file/birenobun.pdfIn PDF document text
- http://botanicgardenscafe.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16075c3fb35b58---ranudewer.pdfIn PDF document text
- https://seataclightingalaska.com/wp-content/plugins/super-forms/uploads/php/files/f816ab106100e0f8ebc38bcef759ef15/lorebodalukozufumojomef.pdfIn PDF document text
- http://studiodrago.eu/userfiles/files/22494759198.pdfIn PDF document text
- http://ersatzmonitor.de/userfiles/file/zizulopamiluv.pdfIn PDF document text
- http://alexlunacoach.com/img/editor/file/tomira.pdfIn PDF document text
- https://ethiquedevelopers.com/wp-content/plugins/super-forms/uploads/php/files/5d9f49e586792ca7f20a68df6222d7a6/luwitafaruselifigam.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/cv9VXjIrmdE/uplcv?utm_term=how+to+copy+a+discord+server+picturePDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00010b32.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10B32	18132 bytes
SHA-256: `7832e5ad2b06733794538d21eb5d06d8341e4777aafad34cadf574db991a19a7`
`font_01_sfnt_off00013b43.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13B43	10712 bytes
SHA-256: `65daa8b505d88279e174f155793d848545b3cba5dea98cb65646a780b88407bf`
`font_02_sfnt_off00015419.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x15419	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`

Open this report in the interactive analyzer, or submit your own file for analysis.