PDF malware analysis — malicious · 207f1b72ccc6520d

MALICIOUS

PDF

275.6 KB Created: 2021-06-14 08:59:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23

MD5: 8acc9eb73892e18da2eabf689d3fd1d7 SHA-1: 29270b9348172e6b4676ae9df59a949927f5f2f1 SHA-256: 207f1b72ccc6520da0bf449f4b7ab5699addf471bd6f80c9f41800fbb15797f5

134 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple heuristics indicating malicious intent, including external URI links and a high ML classifier score. The presence of a 'download button' lure suggests a phishing or social engineering attempt. The embedded URLs point to compromised WordPress sites, likely used to host or distribute malicious payloads.

Machine Learning

Nyx PDF Classifier malicious score 0.9781

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://allytemp.ru/uplcv?utm_term=turbo+dismount+hack+apk PDF link annotation
- http://grani-tonkogo-mira.ru/wp-content/plugins/super-forms/uploads/php/files/64ad713edc7a1ba950a900c5df70aa1f/41172294323.pdfIn PDF document text
- http://digimaap.com/wp-content/plugins/super-forms/uploads/php/files/f2nbnatpo5rm43tcfsci3ejacp/20261158653.pdfIn PDF document text
- http://www.pianoszimmermann.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607ca188613bf---najazenigiwisifano.pdfIn PDF document text
- https://leo-translate.com.ua/wp-content/plugins/formcraft/file-upload/server/content/files/16086471089fe1---buvomasatubinag.pdfIn PDF document text
- http://zulassungsservice4you.de/bilder/file/zuzugelowegupurazom.pdfIn PDF document text
- https://ballestermultiservicios.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607d67a570ae1---30914480847.pdfIn PDF document text
- https://earthideasawnings.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608a688e20e0f---sipelumaxawivef.pdfIn PDF document text
- https://www.chinacimctrailer.com/wp-content/plugins/super-forms/uploads/php/files/f73f989451525979d095e1a4a622faa4/jilutikijoji.pdfIn PDF document text
- http://ahxxzx.com/userfiles/202106/file/bebipatid.pdfIn PDF document text
- https://www.burit.net/wp-content/plugins/formcraft/file-upload/server/content/files/1609fb28b0af63---xolavulodogemibanisitizo.pdfIn PDF document text
- http://khodahoanglang.com/admin/webroot/upload/image/files/vugozibopatovunaxaguxobew.pdfIn PDF document text
- https://inncredel.com/uploads/52163647799.pdfIn PDF document text
- https://serwisnawigacji.pl/userfiles/file/43503780547.pdfIn PDF document text
- https://www.arc-welding.co.uk/wp-content/plugins/super-forms/uploads/php/files/c3291a7tban6upu06g6805kh41/bomedelokifukif.pdfIn PDF document text
- http://cfacgroup.com/uploads/FCK_files/file/21684843554.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00039a6b.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x39A6B	26840 bytes
SHA-256: `4c39798d777f1c29568bd5511ce39ba2fac2aa493f2b18676357757cdbf03fa8`
`font_01_sfnt_off0003eceb.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3ECEB	5436 bytes
SHA-256: `efb68a6d17b79aa779d926d1ece563f8b50e3955f722ca1d73aaffe7301212bd`
`font_02_sfnt_off0003ff31.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3FF31	12032 bytes
SHA-256: `1fb89af6fafec2f56c698bcbb6f17a389e624463c59e654bc48a9fa8c59685d2`
`font_03_sfnt_off00042860.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x42860	16716 bytes
SHA-256: `fcaf9484d8ab48a145bbdcc97886b1aac87adcee36beb05c0b1827439c412372`

Open this report in the interactive analyzer, or submit your own file for analysis.