PDF malware analysis — malicious · 190214d1ed738e59

MALICIOUS

PDF

112.6 KB Created: 2021-06-27 09:54:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-14

MD5: 8729b0be3b405621d663345ba593abda SHA-1: 7942eafe1569c11d4875c0c57192619fb7d5362f SHA-256: 190214d1ed738e59e4260509b2a345b062e4d43954f017a8d75faae7f1a0d7b6

164 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains numerous links pointing to compromised WordPress sites, acting as a link farm to distribute further malicious PDFs. The ML classifier and ClamAV detection strongly indicate malicious intent. The presence of embedded URLs and the 'download button' heuristic suggest a phishing or malware distribution lure.

Machine Learning

Nyx PDF Classifier malicious score 0.9666

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.ibadirect.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c96e993fbe7---87947622996.pdf In PDF document text
- http://www.kidnuri.com/wp-content/plugins/formcraft/file-upload/server/content/files/160742c5ba50c5---78664134646.pdfIn PDF document text
- https://aduanaldelvalle.com/userfiles/file/vitunurojexemupedomin.pdfIn PDF document text
- https://swotin.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607fef50ca410---nimasapereses.pdfIn PDF document text
- https://camile.vn/wp-content/plugins/super-forms/uploads/php/files/d655v8ugnt7691bsqdgrb7261d/denisuvasodapebufigena.pdfIn PDF document text
- http://www.britocunhaadvocacia.com.br/home/wp-content/plugins/formcraft/file-upload/server/content/files/160a7cb19c458b---pofasererema.pdfIn PDF document text
- https://pet-fashion.ro/mm/file/vusawazatasenalivurip.pdfIn PDF document text
- http://xn--b1ahhafccpgkb2bxo.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/3d2c09771fe5def162301c2673bc92ea/zenajefininoperaf.pdfIn PDF document text
- http://viaterrestre.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16076d2f3058f0---sazono.pdfIn PDF document text
- https://unosms.us/userfiles/file/nuzomomogesamiroda.pdfIn PDF document text
- https://www.xcelsus.de/wp-content/plugins/formcraft/file-upload/server/content/files/1608ee84461610---sopitopip.pdfIn PDF document text
- https://adbadog.com/wp-content/plugins/super-forms/uploads/php/files/1223b103122183942caa1a557da29d77/patogeroluzemeta.pdfIn PDF document text
- http://upperdublin1970.com/clients/3/3b/3b2fb281f4756d03d37a29c41a8c1d95/File/ziwinejobojerikezemox.pdfIn PDF document text
- http://www.melloecastro.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608310dd03a0b---demetuboxosuburux.pdfIn PDF document text
- https://unitedcardsolutions.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609097776e029---81626934528.pdfIn PDF document text
- https://frennphotography.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b2c580ace25---24514375471.pdfIn PDF document text
- https://zahnersatz.pl/userfiles/files/71477247934.pdfIn PDF document text
- https://www.lindopoint.it/wp-content/plugins/super-forms/uploads/php/files/1f30b1dd1632ea108772e8c813c5e218/savaputonud.pdfIn PDF document text
- https://churchosonline.com/wp-content/plugins/super-forms/uploads/php/files/776f3a999543598776696039d168652f/66913484181.pdfIn PDF document text
- https://airshow-bg.com/file/biwuvekawi.pdfIn PDF document text
- https://jfefood.com/wp-content/plugins/super-forms/uploads/php/files/e79e3f83ac27407d619c27d3474429be/javedilisonewogowofa.pdfIn PDF document text
- http://kbchina.de/upload/damuvuk.pdfIn PDF document text
- https://mziagroup.com/wp-content/plugins/super-forms/uploads/php/files/cgv51rkc9tehbjau0r1mn9bc37/xebojozokedetaboxu.pdfIn PDF document text
- https://greyquotient.com/wp-content/plugins/super-forms/uploads/php/files/8052adafbaa4ac2d441b412891fb1950/zubofonoxafotixosatir.pdfIn PDF document text
- https://wpsqld.com.au/wp-content/plugins/super-forms/uploads/php/files/cb9aef2bfbba868a39c297d54497dc7c/21174966413.pdfIn PDF document text
- https://www.areatransfers.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c8f89173d3a---63026546135.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/Om9ozkHLxGw/uplcv?utm_term=the+body+keeps+the+score+pdf+free+downloadPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00013d6d.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13D6D	18196 bytes
SHA-256: `8c8f3826387e98f972ad676bf720a68f0636de941898b79a51f60c5a66851af0`
`font_01_sfnt_off00016d7b.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x16D7B	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_02_sfnt_off00018592.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x18592	11020 bytes
SHA-256: `8a5addf4db147774d1f11ee427bd77d4b037fd3d05af7d54a287837acfbaf1c4`
`font_03_sfnt_off00019f0a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x19F0A	16100 bytes
SHA-256: `6b54a3f50d1a413a5c8c0ed289a9c866e37e8bd73df0b162fe7132700ce54c18`

Open this report in the interactive analyzer, or submit your own file for analysis.