PDF malware analysis — malicious · 175f249ae79f6e8d

MALICIOUS

PDF

86.7 KB Created: 2021-06-25 16:58:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 45319c2f08a71435af8d7817096bca03 SHA-1: 6796b387eb11c637edba0baba853a07d2ffad5f0 SHA-256: 175f249ae79f6e8d35f5877c1e6f076a9d6c81ed98517ea77e2f767d61a32af7

204 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF was flagged by ML classifiers and ClamAV as malicious, exhibiting characteristics of a social engineering attack (ClickFix). It contains numerous links to compromised CMS uploads and disposable hosting, suggesting an attempt to distribute malware or phish users. The presence of embedded URLs and a 'download button' lure further supports the attack pattern.

Machine Learning

Nyx PDF Classifier malicious score 0.9991

Heuristics 8

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
ClickFix social engineering attack high SE_CLICKFIX

Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://xn----8sbpvg0afdbe.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/jdg0l36gainlovchj94q799gn4/xoxitunigirejulowive.pdf
- http://duszek-lasu.pl/userfiles/file/48528030774.pdf
- http://permanentnimakeup-brno.cz/userfiles/files/dexobafimivezebogukefuz.pdf
- https://www.marthatrotts.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160a8448e2ca6a---63691665432.pdf
- https://themodernla.com/wp-content/plugins/super-forms/uploads/php/files/711bb033b6c7b7eeaa014006afad1470/zitaxejanurisul.pdf
- https://www.vbclighting.com/wp-content/plugins/super-forms/uploads/php/files/be828ef7d642d61f114249d4b5b26306/rezason.pdf
- http://kahounova.cz/userfiles/file/pujugava.pdf
- http://bizwd.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e16e9e86f8---novuvogigajiwi.pdf
- http://sushi-belovo.ru/files/piwamekidulamuze.pdf
- https://jiptv.nl/wp-content/plugins/super-forms/uploads/php/files/25bq6fd0bs4ec1k2cerr6ssobj/14364983731.pdf
- https://himalayanthailand.com/image/upload/File/munagulaxerulewatided.pdf
- http://investin-khj.ir/ckfinder/userfiles/files/tinowelusunin.pdf
- https://www.golddustdental.com/wp-content/plugins/formcraft/file-upload/server/content/files/16082c721522e9---gogivolefafu.pdf
- https://www.chartsunlimited.com.ph/wp-content/plugins/formcraft/file-upload/server/content/files/160a6330c524c2---82695975108.pdf
- http://totaleclipsenv.com/wp-content/plugins/formcraft/file-upload/server/content/files/16079476885684---65124324487.pdf
- https://feedproxy.google.com/~r/skout/mBVl/~3/fzgW7-mxBc0/uplcv?utm_term=dualshock+4+disconnected+charge+the+battery
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000eeca.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEECA	16792 bytes
`font_01_sfnt_off000106dc.bin` `a12311cf63730f276f67be45c7b2c77d2ddd41e5ff634e642c41f8bef777d354`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x106DC	17176 bytes
`font_02_sfnt_off00013425.bin` `2eb78b05d13f3cb3e532e0967464d5a84397bf873f7ff1ece3229172d4c0ed4b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13425	11172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.