PDF malware analysis — malicious · 29d1b9f6f4a72886

MALICIOUS

PDF

73.2 KB Created: 2021-06-11 17:35:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27

MD5: 6561c0b1c2b80e0f6c3f4fb368499c24 SHA-1: f6488f0c85f40c4367d8b07f8d13a87e571fbb97 SHA-256: 29d1b9f6f4a72886007eaad7cbb75c8aa8f1d825a46d872917d35ebe0a95a50d

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file is identified as malicious by ML classifiers and ClamAV, indicating it's a phishing or trojan distribution attempt. It contains numerous embedded URLs, many pointing to compromised WordPress sites, suggesting a link farm designed to redirect users to malicious content. The document body, though truncated and obfuscated, appears to be a lure related to a "CCNA security course outline PDF", aiming to trick users into clicking these links.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://infrive.ru/uplcv?utm_term=ccna+security+course+outline+pdf PDF link annotation
- http://grandinhr.eu/images/user/file/42966553279.pdfIn PDF document text
- https://esteticarcare.com/wp-content/plugins/super-forms/uploads/php/files/4aae1b972db3b3dcc26903a4a2c5c300/rawopojosinem.pdfIn PDF document text
- http://www.agrosystem.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1608fa3ba72a7d---88397033451.pdfIn PDF document text
- https://adasms.fr/userfiles/file/12233834566.pdfIn PDF document text
- http://gingerwooddesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d4f817b5d7---25070228655.pdfIn PDF document text
- http://pck.malopolska.pl/wp-content/plugins/super-forms/uploads/php/files/4d044876f8b836b65965341c6f73fda8/fizaxizuzak.pdfIn PDF document text
- http://www.meglobalinc.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/16086952c7fc30---42621074162.pdfIn PDF document text
- http://xperion.hu/wp-content/plugins/super-forms/uploads/php/files/00946d23bd6205ea3888acc2dc9b1a31/ganazawesepuf.pdfIn PDF document text
- https://www.marbelitesa.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160bb8ac408f35---79067248179.pdfIn PDF document text
- https://leicht-spb.ru/wp-content/plugins/super-forms/uploads/php/files/cf8f341a08e5e25b1beff1d1ebce8c8d/44736215932.pdfIn PDF document text
- http://slowjamsundays.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087e53640232---90294815701.pdfIn PDF document text
- https://pablohernandes.com/wp-content/plugins/super-forms/uploads/php/files/c57aae4179341d86be648fb5b4f19747/10054095353.pdfIn PDF document text
- https://alenakovalchuk.ru/wp-content/plugins/super-forms/uploads/php/files/d8096dd468419840c1cff5f0e198aba5/bukuwan.pdfIn PDF document text
- https://sevsport.info/wp-content/plugins/super-forms/uploads/php/files/59a0b80007b3609752e855ece8bb38ac/8091653872.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000df03.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDF03	5156 bytes
SHA-256: `a38cb0f42c4d6d4910fd6fffb68ff161ad0ad1d19297bb64b9e558b7958bae72`
`font_01_sfnt_off0000f0a4.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF0A4	11524 bytes
SHA-256: `4dbb743080e3c404baf53b0bc177241625c508ac1d86e5853af3b10073175554`

Open this report in the interactive analyzer, or submit your own file for analysis.