PDF malware analysis — malicious · 15e17bef2142ff80

MALICIOUS

PDF

111.3 KB Created: 2021-07-16 06:35:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-13

MD5: 9be2ba4de55b0c96171c3d7c805a47db SHA-1: b14cb5c3546944896e6981f4930b58a1cda96d7c SHA-256: 15e17bef2142ff80ae7f68d3e80feb290ed1bc0a2f3fe65baa9f4ce148351c24

204 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains numerous links, many pointing to compromised websites or disposable hosting, suggesting a link farm designed to distribute malicious files. The presence of a 'password-protected archive handoff' heuristic indicates a common tactic to bypass security scanning. While no scripts were explicitly extracted, the PDF structure and link farm behavior are indicative of a phishing or malware distribution attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9698

Heuristics 8

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ebiocell.com/uploadfile/file///2021071604455029.pdf In PDF document text
- http://bike-aholic.com/UserFiles/file/53903539331.pdfIn PDF document text
- http://asalsold.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609f4b0eb5d4e---27448976255.pdfIn PDF document text
- http://bobas24.pl/Upload/file/25373094441.pdfIn PDF document text
- https://amartzon.store/wp-content/plugins/super-forms/uploads/php/files/27628c3521545dffbc160bfc23a19e53/32850049324.pdfIn PDF document text
- https://realimpacto.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607cf7105c1b6---tefitivuvepevebeza.pdfIn PDF document text
- http://intergeored.com/upload/File/3469592919.pdfIn PDF document text
- https://www.isgs.org/wp-content/plugins/super-forms/uploads/php/files/1cbca325b3d62828559d208a4bbc83d4/50700128141.pdfIn PDF document text
- https://www.dentaltaxpros.com/wp-content/plugins/super-forms/uploads/php/files/c68f3906b8762d720d3fb01ad4ada980/61121387220.pdfIn PDF document text
- https://www.projectorrentals.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608b0d535eee7---20510416097.pdfIn PDF document text
- http://careerhack.net/wp-content/plugins/formcraft/file-upload/server/content/files/160d43b6dddf47---48312548532.pdfIn PDF document text
- https://daaeportrett.no/upload/file/69273318563.pdfIn PDF document text
- http://www.maoles.com/wp-content/plugins/formcraft/file-upload/server/content/files/160afd29c5fb38---90479421400.pdfIn PDF document text
- http://modelkyujin.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a87adb93cd5---83274586186.pdfIn PDF document text
- http://mirembeestate.co.ug/wp-content/plugins/formcraft/file-upload/server/content/files/160abe66a37fbe---konar.pdfIn PDF document text
- http://kaufdeinauto.de/wp-content/plugins/formcraft/file-upload/server/content/files/160b0f3d5194d6---rubotisirugur.pdfIn PDF document text
- https://desertflying.club/wp-content/plugins/formcraft/file-upload/server/content/files/1608e7ddc63776---83453938429.pdfIn PDF document text
- https://ballestermultiservicios.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b7cfd10b091---meberesodemajage.pdfIn PDF document text
- https://egf.tw/test2/images/file/padijareginibesat.pdfIn PDF document text
- http://sportschoolindex.nl/images/uploads/napuxuretali.pdfIn PDF document text
- https://watertorens.nl/userfiles/file/rokalajojilo.pdfIn PDF document text
- https://baileyelectrical.services/wp-content/plugins/super-forms/uploads/php/files/4f22ucpdarsqbfmtn8ddaonn3c/bojajufetaxinuz.pdfIn PDF document text
- https://realestateconnect.biz/wp-content/plugins/super-forms/uploads/php/files/peq4c94758f35354dioef96nv0/29755690614.pdfIn PDF document text
- https://ozmutludokum.com/userfiles/file/lokoj.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/FevRqgeaUVY/uplcv?utm_term=the+miller+indices+of+the+plane+parallel+to+the+x+and+y+axes+arePDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00010de1.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10DE1	11064 bytes
SHA-256: `d471d6a50f672cea6ad1b5cab40d3a57c8cc1b2c7e4e95a8589eb698806c80da`
`font_01_sfnt_off00012774.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12774	23872 bytes
SHA-256: `2d59df2718fec82c4178a000c73cd65e4808679fc9cbda9b04c5800921bfbedb`
`font_02_sfnt_off0001645f.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1645F	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_03_sfnt_off00017c6c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x17C6C	8748 bytes
SHA-256: `8b1af2c2800c972dc4fa5c2e3c4fc4868c40591bae5e113a80b0dbc6c84a7235`
`font_04_sfnt_off00019887.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x19887	16180 bytes
SHA-256: `915c83616028ac75c7aff43ffa8c8bb1a3877bc8821db44c0945d237dfb9d556`

Open this report in the interactive analyzer, or submit your own file for analysis.