PDF malware analysis — malicious · 13a304582b04d68a

MALICIOUS

PDF

79.3 KB Created: 2021-09-02 03:17:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-23

MD5: 99704c27d7e1795609521ef42d7e4ba3 SHA-1: 25590497a5776c0158606287d31a74b98cc9916a SHA-256: 13a304582b04d68a3b5ef6e0ff15ef51ad63c5070b771bcae46436d39a936ca8

124 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The sample is identified as malicious by ClamAV, indicating it is a Pdf.Phishing.Trojan. Static analysis reveals the PDF acts as a link farm, directing users to multiple compromised WordPress upload directories and disposable hosting sites. The presence of numerous external URIs and the 'PDF_SEO_DISPOSABLE_LINK_FARM' heuristic strongly suggest a phishing or malware distribution attempt.

Machine Learning

Nyx PDF Classifier suspicious score 0.4216

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://garglob.ru/uplcv?utm_term=scallops+with+capers PDF link annotation
- http://videoacceso.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b72a9ce0adc---72392486364.pdfIn PDF document text
- http://leap-egypt.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e739086292---28477777619.pdfIn PDF document text
- http://hintzfamilyreunion.com/clients/1/12/12a2788c5de59b93c87e4eff35998d4f/File/nunavumoti.pdfIn PDF document text
- http://ufnk.fr/app/webroot/files/file/1881812703.pdfIn PDF document text
- http://studiolegalezullo.eu/userfiles/files/10760595418.pdfIn PDF document text
- http://aldara-latinoamerica.com/userfiles/file/73492459062.pdfIn PDF document text
- https://treasurehunterdetectors.com/ckfinder/userfiles/files/ditebikomazi.pdfIn PDF document text
- http://osteriadelcampanile.com/userfiles/files/23460591866.pdfIn PDF document text
- https://veglifekc.org/wp-content/plugins/super-forms/uploads/php/files//24360563375.pdfIn PDF document text
- https://hsegroup.ru/wp-content/plugins/super-forms/uploads/php/files/kqpsf8tkl5utsn7ij14ev4mni4/74030604589.pdfIn PDF document text
- https://jennysbooks.com/wp-content/plugins/super-forms/uploads/php/files/10ad86ff155229ba65f000a243449a24/20617932428.pdfIn PDF document text
- https://a2designbg.com/userfiles/file/39956042041.pdfIn PDF document text
- http://aj-logistics.com/stock/userfiles/file/54711686934.pdfIn PDF document text
- https://inprovitcaribe.com/ckfinder/userfiles/files/89267213637.pdfIn PDF document text
- http://dok-vo.ru/userfiles/file/borujijidilo.pdfIn PDF document text
- https://trsbarriersdirect.com/wp-content/plugins/super-forms/uploads/php/files/qof3tner9d5o9n03soh0jaj2bi/47112298763.pdfIn PDF document text
- http://nawooelcs.com/upload/userfiles/2021/06/files/210617230148.pdfIn PDF document text
- http://www.belladermeestetica.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160bc7d91d6eb2---pomisiwutagat.pdfIn PDF document text
- http://architettoseneca.com/userfiles/files/52069206625.pdfIn PDF document text
- http://szpitalstrzelin.pl/userfiles/files/safokafam.pdfIn PDF document text
- http://teleinwestor.com/userfiles/file/43382730914.pdfIn PDF document text
- http://omonetach.pl/foto/ilustracje/file/likurulubuvi.pdfIn PDF document text
- http://neodev.space/wp-content/plugins/formcraft/file-upload/server/content/files/160b655c0e57ec---93158615670.pdfIn PDF document text
- http://popnmusic.fr/userfiles/file/21854303211.pdfIn PDF document text
- https://angelsstaff.com/uploads/file/20633483798.pdfIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ddc6.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDDC6	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_01_sfnt_off0000f5dd.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF5DD	10528 bytes
SHA-256: `442a4c7785e93e084411c22c9ba55c14baa25deb29f1c999a6fc11118c9dc13f`
`font_02_sfnt_off00010e0b.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10E0B	18596 bytes
SHA-256: `ff7cf9f6edcdc44aa1be832da08a9f237a50c2ea391c3ad36d6ac65f00a8da90`

Open this report in the interactive analyzer, or submit your own file for analysis.