PDF malware analysis — malicious · 22184843cd9e8004

MALICIOUS

PDF

79.3 KB Created: 2021-09-14 10:17:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: cb441ba24bc88eb7dc7cdebbdc106ae6 SHA-1: 880f2798c553be96b6ec6146f522c6c211100b0c SHA-256: 22184843cd9e80048f4a9fdec06843d5d424a97fdd7d9612f05f3a2d9bdaca16

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains numerous links, many pointing to compromised CMS upload storage or disposable hosting, indicating a link farm designed to redirect users. The document body is heavily obfuscated and appears to be generated by wkhtmltopdf, suggesting it's not intended for direct user reading but rather as a container for malicious links.

Machine Learning

Nyx PDF Classifier malicious score 0.9975

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://bigdoughpizza.com/uploads/files/59147889927.pdf
- http://gulfcoastlist.com/userfiles/file/labebat.pdf
- http://www.hkwebdesign.com.hk/wp-content/plugins/formcraft/file-upload/server/content/files/1613e08ed4eeb9---fegikidanalaged.pdf
- https://giraffeng.net/infodaily/gen-ckfinder/userfiles/files/zogaxutox.pdf
- http://cegled.varosom.hu/userfiles/files/5005105912.pdf
- http://myshopgroup.com/userfiles/files/neremozofokikadozotagurel.pdf
- https://charterfori.ir/basefile/charterforiir/files/nokopanoxivirunubefab.pdf
- https://www.cfo-search.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613c9c87c0560---welitibumapiwimufowisine.pdf
- http://www.lukoilmarine.com/ckfinder/userfiles/files/89855512708.pdf
- https://discovercefalu.com/_data/images/file/23981047879.pdf
- http://schoonhovensvrouwenkoor.nl/ckfinder/userfiles/files/lusajurudakurivupugiteg.pdf
- http://czpohledavky.cz/userfiles/files/jasapogis.pdf
- https://idosekotthonaveresegyhaz.hu/files/files/zorezete.pdf
- http://ordineveterinarireggioemilia.it/userfiles/files/79649008367.pdf
- http://goref.ru/files/file/povikozaton.pdf
- http://olimpic.hu/ckfinder/userfiles/files/faponomutukebaf.pdf
- http://xn--b1amishc2fb.xn--p1ai/ckfinder/userfiles/files/4625884562.pdf
- https://delcinfo.ru/img/files/files/11683012544.pdf
- http://ccsl.asia/files/91774166746.pdf
- http://marisqueandopremios.com/campannas/file/zasefaruwadaxa.pdf
- http://vipacademy.org/userfiles/file/98263541895.pdf
- http://visualpaint.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613657358b4c4---nudugabezelafabo.pdf
- https://demo-calson.garment-pro.com/ckfinder/userfiles/files/31513545475.pdf
- http://jurabos.nl/include/editor/file/33430491062.pdf
- http://www.kzhep.in.ua/wp-content/plugins/super-forms/uploads/php/files/knbdvj4cm3ppk94731h22glua4/1508693717.pdf
- https://feedproxy.google.com/~r/Uplcv/~3/S30rS-6n6vg/uplcv?utm_term=unity+plugin+android
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d43b.bin` `9442e7f86c8adbd8ffabced267a6a53841d97f6ab60a87cf2c9f7ee1c80f76e5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD43B	10488 bytes
`font_01_sfnt_off0000ebe9.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEBE9	16792 bytes
`font_02_sfnt_off000103fb.bin` `d36e4840d2e2b5d80be53167055071914c07dc3bf13c88f82abdf2bc25da878a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x103FB	16668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.