PDF malware analysis — malicious · 2cac90ac040d4fea

MALICIOUS

PDF

94.4 KB Created: 2021-07-03 13:44:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24

MD5: 079921d45d801156c7ea13a74b2dfcef SHA-1: dd7519cd6946fa7439f6a2af51293ea4bf5150e3 SHA-256: 2cac90ac040d4fea18f0041a3c968eda9b0732894035a78fadf8e57dc75410c5

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is identified as a malicious PDF by ClamAV and an ML classifier. Static analysis reveals it functions as a link farm, with numerous embedded URLs pointing to compromised WordPress sites. These links likely serve as a distribution mechanism for phishing or further malware, aligning with the 'Spearphishing Attachment' technique.

Machine Learning

Nyx PDF Classifier malicious score 0.5631

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.elsecretodelolivo.com/wp-content/plugins/formcraft/file-upload/server/content/files/16085da4b93fa4---2600087256.pdf In PDF document text
- http://hongshengfish.com/uploadfiles/2021051417351416573.pdfIn PDF document text
- http://immobilieninvestors.de/userfiles/file/pimexizobami.pdfIn PDF document text
- http://hitecds.com/userfiles/file/najuzije.pdfIn PDF document text
- https://www.bountyvacation.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606ced46d7011---54823617821.pdfIn PDF document text
- http://ttc-investco.com/img/files/rozewipenav.pdfIn PDF document text
- https://signaturetowerpune.com/wp-content/plugins/super-forms/uploads/php/files/71h0v504no9176pnt6cf1fuao7/fijulixuwesunemoge.pdfIn PDF document text
- http://atlantichomeportugal.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a6d57df028b---netixoti.pdfIn PDF document text
- http://norilskgu.ru/userfiles/file/41318503213.pdfIn PDF document text
- http://dangkyidol.com/wp-content/plugins/super-forms/uploads/php/files/jj0ddvnel93mokhckkr9s2fsa1/18379026963.pdfIn PDF document text
- http://thetachikappasigmaalumni.org/clients/5/56/56ac51e2ee760b54d3ff8b7d53c877b7/File/52442968038.pdfIn PDF document text
- https://pyhm.ca/wp-content/plugins/super-forms/uploads/php/files/7310vhp98njeb33htkq8oj1k8i/jefenoze.pdfIn PDF document text
- http://furkansigorta.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160b2f83bb0bcb---julilexuzoronurativosukub.pdfIn PDF document text
- https://sasalidayanisma.org/uploads/file/niwarimi.pdfIn PDF document text
- https://dermo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bbe76592c4a---misizejelapowojet.pdfIn PDF document text
- https://razdolle.by/wp-content/plugins/super-forms/uploads/php/files/pvq0eq5a23n0pmb57dmg7fi921/timebagababaretufadavenol.pdfIn PDF document text
- https://ipcare.nl/wp-content/plugins/super-forms/uploads/php/files/7lbbdfpog7gd4tj1jdsusvrhmf/48821261279.pdfIn PDF document text
- https://www.icslights.com/wp-content/plugins/super-forms/uploads/php/files/c1429b3863e2c7b66c72c99f21d6cd88/jutetumugabolikawesetaj.pdfIn PDF document text
- http://mspchicagolaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/97799629767.pdfIn PDF document text
- http://mas.vacations/wp-content/plugins/formcraft/file-upload/server/content/files/1608ca12c407b1---67135662437.pdfIn PDF document text
- https://www.sevgiliyevideo.net/wp-content/plugins/formcraft/file-upload/server/content/files/160a9e84d717e6---zuzabolewakanozamodizomop.pdfIn PDF document text
- https://polinagerz.ru/wp-content/plugins/super-forms/uploads/php/files/t21vcnqf9iqm7pjqm72sttksvt/30685285576.pdfIn PDF document text
- http://espokebar.com/uploads/files/3783987301.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/Om9ozkHLxGw/uplcv?utm_term=what+god+did+jethro+the+priest+of+midian+worshipPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000150a0.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x150A0	17876 bytes
SHA-256: `904ec2b23674d464dfd52bf614274b03a25f58cb4279e6c9549639957e053852`

Open this report in the interactive analyzer, or submit your own file for analysis.