PDF malware analysis — malicious · 1e38c314b47d425d

MALICIOUS

PDF

206.4 KB Created: 2021-07-03 11:14:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: aad187bd1d2772e87bde6048718b933c SHA-1: ce0e4f4d1a26e86a6d64e4f2a72de6d307242cd2 SHA-256: 1e38c314b47d425d00eef0858a387ad0ad926612d147bf2cdf7532f6480c3e7f

126 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The sample is a PDF file detected as malicious by ClamAV and an ML classifier. It contains a link farm pointing to multiple compromised WordPress upload directories, suggesting an attempt to distribute further malicious content. The presence of numerous unknown URLs indicates a phishing or malware distribution campaign.

Machine Learning

Nyx PDF Classifier malicious score 0.8156

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://alignerco.com/wp-content/plugins/super-forms/uploads/php/files/e3db5db8724af5fec05947c3ffc61c39/63648786013.pdf
- http://app8itebarandgrill.com/admin/images/file/98308501496.pdf
- http://111-orte.de/testarea/cwsCMSlight/media/files/tibenon.pdf
- https://sonarmusic.hu/up_image/file/wodopitemoteka.pdf
- https://www.nosolodespedidas.es/wp-content/plugins/formcraft/file-upload/server/content/files/160a5dd9c6e2ca---43011517501.pdf
- http://wumag.pl/userfiles/file/17746617013.pdf
- https://kodeac.com/wp-content/plugins/super-forms/uploads/php/files/l1cevkh7m9h4c7fn4b85dh0032/sitasozonela.pdf
- https://www.budgetskemaet.dk/wp-content/plugins/formcraft/file-upload/server/content/files/160bb7244bd944---tisopadu.pdf
- https://digidatadecolombia.com/wp-content/plugins/super-forms/uploads/php/files/f90beca57114b160cf77598abcc18ac1/50339486572.pdf
- http://www.thediethub.in/wp-content/plugins/formcraft/file-upload/server/content/files/160c91674452ff---3551376058.pdf
- https://chp-travel.ir/data/file/97452180919.pdf
- https://sevsport.info/wp-content/plugins/super-forms/uploads/php/files/979b760c751f0c3996b1b0d1c7a621c0/34833628377.pdf
- https://adepotcustom.com/UploadFiles/file/20210520204451125.pdf
- http://studiotecnicobergamaschi.it/userfiles/files/kubedujopimisosesasuw.pdf
- https://www.sudburyhighspeedinternet.ca/wp-content/plugins/super-forms/uploads/php/files/065d7228181f82cbcc3f2bce1cadc9c1/80451726966.pdf
- https://formapolis.it/wp-content/plugins/super-forms/uploads/php/files/c1a270fbbe09a22c024eb38d7584f3b9/79956595745.pdf
- https://www.medipratik.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c8a1402f0e---fepedatevodum.pdf
- http://seednseed.com/admin/fckfiles/file/gamatunuzibutafuwafuj.pdf
- http://alphasigmaoverseas.com/userfiles/file/79694679282.pdf
- https://ipcare.nl/wp-content/plugins/super-forms/uploads/php/files/39lj7hb0k2mf38cq3lojftdrrb/84352774169.pdf
- https://agentcctv.com/userfiles/file/guburalotupojosanugigawe.pdf
- http://gtshotel.it/images/file/tigasamowe.pdf
- https://kassa-evotor.ru/wp-content/plugins/super-forms/uploads/php/files/orfm888hbs6gmtl2vo74rt1v23/jixuvaloziz.pdf
- http://www.ebsjosepirosamaria.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608768bdf2b12---pugixukimomumepimepoji.pdf
- https://feedproxy.google.com/~r/Uplcv/~3/A3Ryygt5BCM/uplcv?utm_term=paw+patrol+coloring+pages+zuma
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0002a585.bin` `7fdc5578a83eb58986fd21b115e233fd8125a41244cd797416d3e3a369c34e8d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2A585	20292 bytes
`font_01_sfnt_off0002d889.bin` `0e6e3203bbd107760b0107144cbecfc7cb88ed1ab61cb5cc22624275509a7820`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2D889	1816 bytes
`font_02_sfnt_off0002e108.bin` `eb322746d3ac072accb1c1a7b45cb2045771cccdb816429b7739c844d361bbfc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2E108	16792 bytes
`font_03_sfnt_off0002f913.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2F913	16792 bytes
`font_04_sfnt_off0003112a.bin` `642dc6f1787f8e495e82b8ed50e532c970c3d01aec7a798f81adc9d383bffba2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3112A	10964 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.