PDF malware analysis — malicious · 2a3491e8e4f0a3d6

MALICIOUS

PDF

111.8 KB Created: 2021-05-29 23:55:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 1402ab674852dc23a8d6a8ef717824b0 SHA-1: 8dde939520d7615d8fabcccfe821a59543f197c6 SHA-256: 2a3491e8e4f0a3d6200fe52fe9d9b4b4cd11b0065cee23404077f0cd67e1f1cb

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links pointing to various websites, many of which are hosted on compromised CMS platforms or disposable domains, indicating a link farm for SEO poisoning or phishing. The ClamAV detection and ML classifier strongly suggest malicious intent. No scripts were extracted, but the structure and URL patterns are indicative of a malicious PDF designed to redirect users to harmful content.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://aarogyamedico.com/userfiles/file/49852270175.pdf
- https://www.vibrationmonitoring.asia/wp-content/plugins/formcraft/file-upload/server/content/files/1608b5c42af3b8---kanukaganarujusiwuluxibo.pdf
- https://semineebrasov.ro/printuri-fi/files/zazimu.pdf
- https://yidinfo.net/wp-content/plugins/super-forms/uploads/php/files/0ltu7hoqdl7ak1dpr3nf0op0lk/wuwuvez.pdf
- https://too.kg/wp-content/plugins/super-forms/uploads/php/files/3856b9ad7762bc25016feff9fc7c2e92/74231445386.pdf
- http://www.training4thefuture.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160a04e3e5a875---67106599477.pdf
- https://www.traveltimevipp.com/wp-content/plugins/super-forms/uploads/php/files/322223a0e152748217f913d89e2c4fec/kinajejunelo.pdf
- https://bursaceviritercume.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608183288c099---pefaturolomalofebaduka.pdf
- https://www.sudburyhighspeedinternet.ca/wp-content/plugins/super-forms/uploads/php/files/605f5be0f7a26bf12718127cf47bdd97/37967055474.pdf
- http://pansophers.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609ef377bb4c2---31065449666.pdf
- http://accomplishtheimpossible.com/userfiles_ati/file/kovinuzulol.pdf
- https://www.andimoda.com/wp-content/plugins/super-forms/uploads/php/files/4422dd1ed60385cd1cc64f0982d58f8b/38532641895.pdf
- https://ketgate.eu/wp-content/plugins/super-forms/uploads/php/files/0feac413fe1fdebabe43937e7a4d19ea/27861909292.pdf
- https://stegopackaging.com/wp-content/plugins/super-forms/uploads/php/files/sf22d9i66nhcl9l59d4flicbk9/pibubaxanebekaje.pdf
- https://specialbrands.gr/wp-content/plugins/super-forms/uploads/php/files/a495ee7c7b46a74f6894275c7622789b/gitizuvomelosefupomu.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- https://feedproxy.google.com/~r/skout/mBVl/~3/GLLx1DTH0VQ/uplcv?utm_term=sliding+block+puzzles+online
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00016bb3.bin` `5e3468c2664e35306626c7b9576a13211b5d3666553a4b55cb22758a129ff14d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x16BB3	5092 bytes
`font_01_sfnt_off00017d0b.bin` `967015ec5d4bba2964be9a013bc34903549532b764c49b139a31fbc22dd1bee0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x17D0B	11564 bytes
`font_02_sfnt_off0001a47c.bin` `ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1A47C	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.