PDF malware analysis — malicious · 32cbd145c58249af

MALICIOUS

PDF

94.6 KB Created: 2021-06-26 15:32:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-20

MD5: b6cad0d76972b776382f9193e69f7a22 SHA-1: ec6fcc7372ed48173770bbdfb958aa1ff9008556 SHA-256: 32cbd145c58249af1838c0938873e91c4728bbd18e41f308f91f72cd0e058d1d

196 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file is a PDF that leverages a 'Password-protected archive handoff' lure, instructing the user to open an archive with a provided password. This is a common technique to bypass gateway security scanning. The PDF also contains numerous links to potentially compromised WordPress sites, suggesting it's part of a larger phishing or malware distribution infrastructure. While no scripts were directly extracted, the overall structure and heuristic firings strongly indicate a malicious intent to deliver a secondary payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9820

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://oneremote.ru/wp-content/plugins/super-forms/uploads/php/files/c12313b8aef6afc38857e65666018724/sebukudowof.pdf In PDF document text
- http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c0136b3e027---73700015566.pdfIn PDF document text
- https://alrukn.co/userfiles/files/lovokurinirilewivak.pdfIn PDF document text
- http://www.dadosefatos.net.br/wp-content/plugins/formcraft/file-upload/server/content/files/160cc6ce63451e---karijil.pdfIn PDF document text
- http://xn----7sbakif2a3azdub.xn--p1ai/admin/ckfinder/userfiles/files/45063330923.pdfIn PDF document text
- http://mastervgtour.by/var/upload/file/gujetu.pdfIn PDF document text
- http://comp-art.ru/userfiles/file/rowetiwu.pdfIn PDF document text
- https://www.officinadelgustoroma.com/wp-content/plugins/super-forms/uploads/php/files/3c9982742fa76e11f36515ec1c57da3e/bulopezaxitazolivefama.pdfIn PDF document text
- https://genesisbehaviorcenter.com/wp-content/plugins/super-forms/uploads/php/files/6653543739da205d504cb152e70692f5/94884452357.pdfIn PDF document text
- https://www.eoluk.com/wp-content/plugins/super-forms/uploads/php/files/vt87ig6go4t25el9pkrjp9ii1q/gavotovuxenipaxem.pdfIn PDF document text
- https://tkquiz.com/userfiles/file/87448975083.pdfIn PDF document text
- http://sakirnoopo.ru/wp-content/plugins/super-forms/uploads/php/files/44090e79369ffcb9040e36a3873d154e/dekiwopubezukumet.pdfIn PDF document text
- https://www.lenoir-elec.com/wp-content/plugins/super-forms/uploads/php/files/vrg7u5e56d398ocsiepp6ujdnk/86169210331.pdfIn PDF document text
- https://dongytueduc.com/wp-content/plugins/super-forms/uploads/php/files/402is3u37hkgqu593d16nlbv7i/95922696527.pdfIn PDF document text
- https://camile.vn/wp-content/plugins/super-forms/uploads/php/files/6rto4bm8qa1pslvokocheecqei/femano.pdfIn PDF document text
- https://shining4u.com/wp-content/plugins/super-forms/uploads/php/files/79507e20af4fb5dddb2a69ecf3b54e4e/71601800250.pdfIn PDF document text
- https://isabellepieman.com/userfiles/file/68429156966.pdfIn PDF document text
- http://www.predoisiasociatii.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160b8b85d40339---85589582159.pdfIn PDF document text
- http://nuraski.pl/wsg/userfiles/pufebadimukolire.pdfIn PDF document text
- https://engravestone.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c6bed606453---40427556266.pdfIn PDF document text
- https://www.allterra.group/wp-content/plugins/super-forms/uploads/php/files/24ef98118259ec8a73b78d13bf93577d/zufinuluk.pdfIn PDF document text
- https://yourlightingbrand.com/wp-content/plugins/super-forms/uploads/php/files/f8d9f54ee3305b37504486f76ef18e3f/16858097516.pdfIn PDF document text
- https://ancoraeducacion.com/images/tageluwuzedu.pdfIn PDF document text
- http://protech.com.ng/wp-content/plugins/formcraft/file-upload/server/content/files/16080bb58704db---jorox.pdfIn PDF document text
- http://xboxheerlen.nl/userfiles/file/foped.pdfIn PDF document text
- http://hpworld.hu/data/pic/Image/file/nefur.pdfIn PDF document text
- https://feedproxy.google.com/~r/skout/mBVl/~3/DOqCt-cVA4I/uplcv?utm_term=best+android+pornPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000110c4.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x110C4	10392 bytes
SHA-256: `b700453a26c068da83eae2c3ac5645330d6ed89f3415f8107e3c23ecc6166cc7`
`font_01_sfnt_off00012868.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12868	17212 bytes
SHA-256: `3e8bc08347fc395005249d18cecff381876a2003cad80701db57e56adcc2f7a5`
`font_02_sfnt_off00015501.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x15501	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`

Open this report in the interactive analyzer, or submit your own file for analysis.