PDF malware analysis — malicious · 3523d4b8471ac354

MALICIOUS

PDF

87.8 KB Created: 2021-07-18 21:14:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-25

MD5: 4c92f95bf510880fb691ce62b6a1c44d SHA-1: 458e3178346791be913facf9a1b341f12cdb9999 SHA-256: 3523d4b8471ac354be247dea4f0c3914d2ce1c568e5a55ebc6f23769f54be31b

196 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF file was identified as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous links, many pointing to compromised CMS upload directories, suggesting it functions as a link farm for phishing or malware distribution. The presence of a LOLBin token sequence in the document text further supports the malicious nature of the file.

Machine Learning

Nyx PDF Classifier malicious score 0.9835

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://bagandpack.ru/wp-content/plugins/super-forms/uploads/php/files/5a77d6bbba9c53c8936f8592c688e9f8/60442387621.pdf In PDF document text
- https://ecomassage.pt/wp-content/plugins/super-forms/uploads/php/files/kg3tjc5s8o8ks19oou7cv4f59o/65393891696.pdfIn PDF document text
- https://aadhaarretail.com/administrator/imagetemp/file/85062918908.pdfIn PDF document text
- http://quiltingacademy.info/fckeditor/userfiles/file/dajegasuwa.pdfIn PDF document text
- http://thaoduocquyhiem.com/userfiles/image/file/3011814079.pdfIn PDF document text
- http://countrysquirefoods.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607d62b644125---juxezutitevumoz.pdfIn PDF document text
- https://agilitynd.com/wp-content/plugins/super-forms/uploads/php/files/185f512bd71ce1ddba3a35a0055fd9df/33614070790.pdfIn PDF document text
- https://glowskincare.net/wp-content/plugins/super-forms/uploads/php/files/d260cd18338513081de7703f90489dd5/91516501522.pdfIn PDF document text
- http://aplus.to/userfiles/file/40092019896.pdfIn PDF document text
- http://topopentertainment.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ab5a42552b5---3376781526.pdfIn PDF document text
- https://webmodels.studio/wp-content/plugins/formcraft/file-upload/server/content/files/16076a4451fe80---volezubovujowuxuba.pdfIn PDF document text
- http://mdbim.pl/ubezpiecz/obrazy/file/73748987325.pdfIn PDF document text
- https://watosaphotography.com/app/webroot/userfiles/files/20210626_011433.pdfIn PDF document text
- http://terapie-psi.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160c3038e3527e---97455441367.pdfIn PDF document text
- http://theydeserveastamp.org/wp-content/plugins/formcraft/file-upload/server/content/files/160b7a8a58ac83---83982698606.pdfIn PDF document text
- https://izharfoster.com/wp-content/plugins/formcraft/file-upload/server/content/files/160be8121204fc---73385348159.pdfIn PDF document text
- https://monacollection.ua/wp-content/plugins/super-forms/uploads/php/files/162260ca45af4960aef9d96ce1ee7da1/50475765949.pdfIn PDF document text
- http://nordicaluminium.ru/userfiles/file/getarenufakopebujiw.pdfIn PDF document text
- http://kameleonhastanc.hu/files/file/26188477727.pdfIn PDF document text
- http://geose.ru/userfiles/file/zaniwuvekagunisewazenudis.pdfIn PDF document text
- http://www.lentilles-progressives.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1606f9c9235452---90342373035.pdfIn PDF document text
- https://aquariumfargo.com/wp-content/plugins/super-forms/uploads/php/files/500a29f041ca73e89495eeef5b7b667e/57314720989.pdfIn PDF document text
- https://postscriptproductions.com/wp-content/plugins/formcraft/file-upload/server/content/files/16083ab29d3126---vepinad.pdfIn PDF document text
- https://avantkart.com/wp-content/plugins/super-forms/uploads/php/files/q1jnnncmddm9mio5pk5ink19us/petaduturoxuzabokoge.pdfIn PDF document text
- http://minhnguyenvn.com/uploads/userfiles/file/nugapulator.pdfIn PDF document text
- https://mamproducciones.es/wp-content/plugins/formcraft/file-upload/server/content/files/16076e89d77090---revuwevujorew.pdfIn PDF document text
- https://feedproxy.google.com/~r/skout/mBVl/~3/1KS0DP0cxss/uplcv?utm_term=veggie+dishes+for+thanksgivingPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f32e.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF32E	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_01_sfnt_off00010b45.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10B45	10712 bytes
SHA-256: `0e0065d8676c12fe480a39d43182c9cdcd8c7d8ec555ca3425811a96139a699c`
`font_02_sfnt_off000123a7.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x123A7	17736 bytes
SHA-256: `0a85c8e3f2424d3b70249ba884d30c0aada1045f7b8eefb54b051a088bf0a17c`

Open this report in the interactive analyzer, or submit your own file for analysis.