PDF malware analysis — malicious · 1c5d0eb90edfe161

MALICIOUS

PDF

74.7 KB Created: 2021-09-25 04:49:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: a26414c01bb8908a5e649ba5f0bdb0db SHA-1: c750350e7a724d5670e2efa134a6173362bbae21 SHA-256: 1c5d0eb90edfe1619cac21a726d1678581291af5f90cef34222808964b10b126

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. Heuristics identified it as a link farm pointing to compromised WordPress uploads and disposable hosting, suggesting a phishing or malware distribution scheme. The embedded URLs are likely used to redirect users to malicious sites.

Machine Learning

Nyx PDF Classifier malicious score 0.9827

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://philabc.ru/uplcv?utm_term=android+app+daten+auf+sd+karte+verschieben
- https://hv2barrier.com/application/third_party/ckfinder/userfiles/files/93791499365.pdf
- http://philipwillettelaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/bijarowuregejosevov.pdf
- http://szentistvanpatika.hu/upload/file/fitoxe.pdf
- http://clubselectionvoyages.com/images/file/61743904888.pdf
- http://mega.kz/media/upload/files/xekaputagakikibijozisumu.pdf
- https://jiu-hang.com/upfiles/editor/files/zukabusonolokofisija.pdf
- http://baracenter.be/userfiles/file/vagusifasipunabe.pdf
- https://skillmapmagazine.com/ckfinder/userfiles/files/xuvaledup.pdf
- http://sgadsahodayatarntaran.org/sahodyatarntarannew/userfiles/file/xekuwuzisapedoxul.pdf
- http://stavo-bazar.cz/userfiles/file/vuwutogafobixomenorinixem.pdf
- http://magdrywall.com/project-new/christianbook/upload_images/file/69085158.pdf
- https://birutelorasin.com/contents/files/83589766224.pdf
- https://fatheragneliti.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613c3d2f5a4f2---liluw.pdf
- http://bojovesporty.cz/userfiles/file/rasanuvalepanutev.pdf
- https://tsegypt.com/file/81181104327.pdf
- https://sukienmiennam.com/userupload/files/71931056069.pdf
- http://bubb.cn/up_file/file/diberudububixeziwozes.pdf
- https://china-glass-mosaic.com/userfiles/files/20210906_220848.pdf
- http://dytac.hk/userfiles/32395507355.pdf
- http://prosefkuchare.cz/userfiles/divejavimosano.pdf
- https://www.acptechnologies.com/wp-content/plugins/formcraft/file-upload/server/content/files/161423afe40ee9---43272521715.pdf
- http://china-baby-clothes.com/d/files/25173751475.pdf
- https://livre-art.com/ckfinder/userfiles/files/mupezekipabotel.pdf
- http://www.next-conseil.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1614e569c6b912---80078855739.pdf
- https://handinhand-daycare.com/ckfinder/userfiles/files/60174252378.pdf
- https://www.chinacimctrailer.com/wp-content/plugins/super-forms/uploads/php/files/47240da47e59c16148a25f9cbf211179/78355458440.pdf
- http://austral-immo.com/userfiles/files/43504778010.pdf
- http://honeystraw.com/uploadfiles/file/19207080206.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000bd54.bin` `aeba6205a6c927fc8ea0f4834f698679662cc07f3809e78dd6dbf0e1f236456a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBD54	17808 bytes
`font_01_sfnt_off0000eb84.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEB84	16792 bytes
`font_02_sfnt_off0001039b.bin` `f7f4686a1ab59eeb04692b642fba2e4d4f50634d39124fd533ba9cac8e7a7506`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1039B	11052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.