PDF malware analysis — malicious · 152fda6d923c606e

MALICIOUS

PDF

77.8 KB Created: 2021-06-24 12:48:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 0f84dc7843d555a9414ce7cb23c504f2 SHA-1: 4acd4a94191191a05addb7e0bd7c3e9cf97e6de3 SHA-256: 152fda6d923c606eb3c1cb07df3d0e254c8948156589fd72fbc209b1306a273e

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous links pointing to compromised WordPress sites and disposable hosting, suggesting a phishing or malware distribution campaign. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a phishing lure designed to redirect users to malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://inwebjor.ru/uplcv?utm_term=twilight+breaking+dawn+part+2+download+480p
- https://www.gml.de/wp-content/plugins/formcraft/file-upload/server/content/files/160c4d820e52b4---41069574042.pdf
- http://www.justgiveahand.org/wp-content/plugins/formcraft/file-upload/server/content/files/1609c51a020c64---midiziru.pdf
- https://nobleanimalsanctuary.org/wp-content/plugins/super-forms/uploads/php/files/tmp/7589971354.pdf
- http://jamoncup.es/wp-content/plugins/formcraft/file-upload/server/content/files/16080e5c2b6433---gitebaniv.pdf
- http://bafiti.com/sklep/userfiles/file/wiwazegunafakun.pdf
- https://mvpartners.be/images/uploadedimages/file/zevapujeposoresawelubolev.pdf
- http://vivaibonomo.it/userfiles/files/wefaka.pdf
- http://mouaumfb.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a97791f0fb3---70170638260.pdf
- https://www.mnspineandsport.com/wp-content/plugins/super-forms/uploads/php/files/00e840d0466cfb064a8e266c255c4b76/xomifozigifezawidolatiw.pdf
- http://wksystems.net/HotelEstimator/userfiles/file/80022722451.pdf
- https://claphamjunction.com.au/wp-content/plugins/super-forms/uploads/php/files/4c72dbe34beaec19bba3e67906aac580/91082767078.pdf
- http://www.fotografoeventimilano.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a78cb845d66---35925972457.pdf
- https://www.birdandwildlifeteam.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608d5bd4265b0---22345925165.pdf
- https://www.straightmyteeth.com/wp-content/plugins/super-forms/uploads/php/files/cb9c2482268d16d5e08f56f13aada1d5/rubopifogegolisisos.pdf
- https://www.tifdip.com/wp-content/plugins/formcraft/file-upload/server/content/files/160967c57d2687---23206848330.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d95d.bin` `2d5327ec257f50cabc124b5ce3bfd8815e863a17aaa7db472b0fb1baa2ad11fd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD95D	5844 bytes
`font_01_sfnt_off0000ed49.bin` `daf93af2afaa5d0cad88eae68ef5350d3eec2409778cc6fd80351a5c4bc7a68a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xED49	11612 bytes
`font_02_sfnt_off000114f0.bin` `aca4cc7a4adecbe8d3b69816f606a775e78e0cb22b4b713e3bf6556a18461847`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x114F0	16124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.