PDF malware analysis — malicious · 36eadf8e8398ba81

MALICIOUS

PDF

65.1 KB Created: 2021-10-02 17:02:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-31

MD5: 20f4cb388fd68e41876a757ac08bbad9 SHA-1: 3642bed8e26e3bc7048203744a2637cc423253ec SHA-256: 36eadf8e8398ba8151f61d29bf5eef323f86cee73b7a381192bca7211e37e6c7

174 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm with 25 distinct hosts, many of which are disposable domains, suggesting a phishing or malware distribution attempt. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' and the ClamAV detection 'Pdf.Phishing.Trojan-d2528dad23a95d95-10044376-0' strongly indicate malicious intent. The ML classifier also flagged the PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 0.5541

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH

A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://tentauto23.ru/ckfinder/userfiles/files/84882116196.pdf In PDF document text
- http://xn--oy2b9bv81anouola.com/upload/file/202109140433292149.pdfIn PDF document text
- http://oikoscoccatoarchitettura.com/userfiles/files/lutesurutototisavu.pdfIn PDF document text
- http://toyotaquangninh.org/data/dulieu/files/mesag.pdfIn PDF document text
- http://royalleasingny.com/admin/images/file/nuvevagetojugokad.pdfIn PDF document text
- http://chongqinghaohong.com/upload/files/pajinezijilitunuxometeded.pdfIn PDF document text
- https://ariconium.cz/webpagebuilder/ckfinder/userfiles/files/15167709188.pdfIn PDF document text
- http://rabotatver.ru/userfiles/admin/27944112108.pdfIn PDF document text
- http://serenetour.com/image/upload/File/27744663381.pdfIn PDF document text
- http://ues-rb.ru/themes/ues-rb.ru/files/xivurawon.pdfIn PDF document text
- http://bayzones.com/fckeditor/editor/filemanager/connectors/php/userfiles/file/suvateladuvidegowosab.pdfIn PDF document text
- https://member-amz-seller-system.de/wp-content/plugins/super-forms/uploads/php/files/09a3e0b1071b25ed923993b16b636b36/68873541780.pdfIn PDF document text
- https://remini.hu/userfiles/file/76217280593.pdfIn PDF document text
- http://clear-es.net/yamituki-n/uploads/files/33838811140.pdfIn PDF document text
- http://crabandclaw.com/uploads/files/rejiseneteduzexuduvubu.pdfIn PDF document text
- https://egyediajandekotletek.hu/mvc/userfiles/file/munapixepofukigafudep.pdfIn PDF document text
- https://birsamundapark.in/userfiles/files/vasizovekawakudufogomuze.pdfIn PDF document text
- https://www.champagne-cornevin.fr/ckfinder/userfiles/files/62196993051.pdfIn PDF document text
- http://realestatespoznan.com/uploads/55864171660.pdfIn PDF document text
- https://www.clinicaepilepsia.cl/ckfinder/userfiles/files/fojalivifowobaxepotuvujij.pdfIn PDF document text
- http://podarox.ru/public/files/95921228076.pdfIn PDF document text
- https://martas.vodrsport.cz/uploads/files/gatomuzen.pdfIn PDF document text
- https://www.geosuiteonline.de/wp-content/plugins/formcraft/file-upload/server/content/files/1613e1b5a36cfe---69824140996.pdfIn PDF document text
- https://regalcabs.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16140293b6b81d---nuxodag.pdfIn PDF document text
- https://diedacorporation.net/freesiafiles/file/45221026538.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BkSY9tpko7c/uplcv?utm_term=datatable+pagination+server+sidePDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000b612.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB612	16500 bytes
SHA-256: `711b1d6bc9c7cf86779386b5dd4f54a35554975f43fdaf3bee503a1111cd3e2a`
`font_01_sfnt_off0000e018.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE018	10772 bytes
SHA-256: `24632f3c52bf0f8e150fb5c7b188789518a1de2ed596da3f07479c5d578e33b7`

Open this report in the interactive analyzer, or submit your own file for analysis.