PDF malware analysis — malicious · 38435e48ea393bf6

MALICIOUS

PDF

81.7 KB Created: 2021-07-03 09:30:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-13

MD5: ba17a6f3d3f9d012c83d7955eb0ddd25 SHA-1: 4ebeacf9af3d02ab37768f178b4ada0554bfb06f SHA-256: 38435e48ea393bf6c605e0a82730c0732cf068dc3919c8c9635f55b4db6400fc

196 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF document was flagged by ML classifiers and ClamAV as malicious, exhibiting characteristics of a phishing trojan. It contains a 'Browser extension / update installation lure' heuristic, indicating a social-engineering attempt to trick users into installing malicious software or revealing credentials. The document also functions as a link farm, with numerous URLs pointing to compromised CMS uploads and disposable hosting, suggesting it's part of a larger distribution network for malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.9846

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE

Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.canadiantreasurer.com/wp-content/plugins/formcraft/file-upload/server/content/files/160781e4ce7fcd---poputitiridadibakuvunojo.pdf In PDF document text
- http://castanienfamily.com/clients/74558/File/wunoxi.pdfIn PDF document text
- https://agronlogistics.com/userfiles/files/pugujenusakexefowo.pdfIn PDF document text
- http://viaterrestre.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160bee9af9fa72---gogopoxodekenesi.pdfIn PDF document text
- http://lookupagency.es/wp-content/plugins/formcraft/file-upload/server/content/files/160acaa95396a8---kaputetelabapoxenujorad.pdfIn PDF document text
- http://nuyewpilot.academy/wp-content/plugins/super-forms/uploads/php/files/efe6e43683060537b6341da5efa393e4/96700189974.pdfIn PDF document text
- https://unitedcardsolutions.com/wp-content/plugins/formcraft/file-upload/server/content/files/16091ced9e7a86---jigubokev.pdfIn PDF document text
- http://www.rolstoellift.com/wp-content/plugins/formcraft/file-upload/server/content/files/160de5b54b65ed---33125098172.pdfIn PDF document text
- https://www.enterpriselighting.com/wp-content/plugins/super-forms/uploads/php/files/ca3765919155e9c8d9f5e79519ab0399/14845888763.pdfIn PDF document text
- http://matstravel.ru/userfiles/file/63501238998.pdfIn PDF document text
- http://mijneigenlift.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160c9c42e63c3d---japonawi.pdfIn PDF document text
- https://njsolarpower.com/wp-content/plugins/super-forms/uploads/php/files/02bd47b556424cbbfbdf85494f6c6f1e/libubagemaraferenatilupi.pdfIn PDF document text
- http://www.associatedomains.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608fc94f8c0ee---29402507504.pdfIn PDF document text
- https://fenixfalt.com/userfiles/file/mibologilavavubasoxax.pdfIn PDF document text
- http://gingerwooddesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/16096e4f315f07---bosonejeresitomagexuror.pdfIn PDF document text
- https://hacunamatata.ru/wp-content/plugins/super-forms/uploads/php/files/91153698bbedd17862d8cd5a878b04c1/pujonodogedazotelebabura.pdfIn PDF document text
- http://bezagsecurity.cz/userfiles/niminutudewizelem.pdfIn PDF document text
- https://t4g.nasscomfoundation.org/wp-content/plugins/super-forms/uploads/php/files/07pa777rf3rlc6etlm1hb5s840/pebulebomo.pdfIn PDF document text
- http://meyergarden.com/ckfinder/userfiles/files/84765505706.pdfIn PDF document text
- http://jr-bang.com/uploadfiles/20210618111835.pdfIn PDF document text
- http://labonguyenhoang.com/img-chamthi/files/nojul.pdfIn PDF document text
- http://wksystems.net/HotelEstimator/userfiles/file/vojomuxi.pdfIn PDF document text
- https://kes-stv.ru/wp-content/plugins/super-forms/uploads/php/files/fdd3b7d5f613d2ef3680137e21260286/dujudozegafuj.pdfIn PDF document text
- http://itaindustrial.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160b30c988d376---19977863129.pdfIn PDF document text
- http://kazenergy.kz/wp-content/plugins/formcraft/file-upload/server/content/files/160aa8bc41ef7e---rivepujexali.pdfIn PDF document text
- http://for-rent-aalst.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b3a92e8bf47---12676562153.pdfIn PDF document text
- https://feedproxy.google.com/~r/skout/mBVl/~3/3vuEKuznOb8/uplcv?utm_term=pdf+complete+viewerPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000dd2e.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDD2E	10500 bytes
SHA-256: `dc6b267b2f5c2889fb861b207a1191637c88e5aa381478a066400d44a93214d7`
`font_01_sfnt_off0000f516.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF516	16956 bytes
SHA-256: `def6d4efebb875de0f6fd9abee3c22571c8048f374b6dfc102060de22acfd7b9`
`font_02_sfnt_off00012133.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12133	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`

Open this report in the interactive analyzer, or submit your own file for analysis.