PDF malware analysis — malicious · 38547ee5a3b8676f

MALICIOUS

PDF

80.9 KB Created: 2021-09-17 07:14:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: a8facdf2ffdc02a876a28bc2dda9b8fd SHA-1: 721e733a01eac3ce2c98778ea84857d64b24a303 SHA-256: 38547ee5a3b8676f0b08aab6b9c6e22c10d9d8011aa03cdb60a1fda2455a6d0f

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a link farm pointing to compromised CMS uploads and disposable hosting, suggesting a phishing or malware distribution scheme. The presence of multiple PDF_SEO_DISPOSABLE_LINK_FARM heuristics further supports this, indicating an attempt to disguise malicious links.

Machine Learning

Nyx PDF Classifier malicious score 0.9833

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://cremeconferences.com/wp-content/plugins/super-forms/uploads/php/files/378f6886bfdbfbfc9b2cfaa3af606e3b/50032784983.pdf
- http://www.mezmat.ru/ckfinder/userfiles/files/rotukov.pdf
- https://nasikampung.info/contents/files/fenutivixegix.pdf
- http://extrastyle.ee/ckfinder/userfiles/files/xizedevodedelafokagop.pdf
- http://com123.vn/uploads/file/nufutodajidakex.pdf
- https://www.diktu.com/wp-content/plugins/formcraft/file-upload/server/content/files/16130f15e7472d---70539885000.pdf
- http://elard-group.com/ckfinder/userfiles/files/velugolizodexurul.pdf
- http://udmvdpo.ru/images/files/sapafipepe.pdf
- http://mimarathi.live/assets/ckfinder/core/connector/php/uploads/files/mijibiwevulor.pdf
- http://a-xian-coat.com/uploads/files/202109040818495845.pdf
- http://thamcohoaian.com/webroot/img/files/31016659318.pdf
- http://www.jesuseslaroca.org/wp-content/plugins/formcraft/file-upload/server/content/files/16139d90c24741---11225856905.pdf
- https://flavio-tonon.it/public/file/71004392186.pdf
- http://www.hkwebdesign.com.hk/wp-content/plugins/formcraft/file-upload/server/content/files/1613f28a6f3bc0---65709584136.pdf
- http://ziguratex.com/helpdesk/app/webroot/img/userfiles/files/20207099524.pdf
- http://phaptangpgvn.net/app/webroot/upload/files/zugujepulijozilidomi.pdf
- http://goref.ru/files/file/98126009486.pdf
- http://sanarina.de/ckfinder/userfiles/files/bavuk.pdf
- http://kapsalonindex.nl/images/uploads/64219774243.pdf
- http://sinorarechem.com/upload/files/43457699118.pdf
- http://barbusci.it/maisUserFile/file/87209038000.pdf
- https://toptenstudy.com/upload/files/BodyFile__613BB7563ED4D.pdf
- http://gazomotor.com/allinone/file/difolabukajiro.pdf
- https://ceccarbotosani.ro/userfiles/file/vixegukogazejuxibipanaga.pdf
- https://saint-florentin.charcutier-traiteur.fr/ckfinder/userfiles/files/wutujujotujuzimuxari.pdf
- http://nurugelexport.com/ckfinder/userfiles/files/97847432111.pdf
- http://lamekatus.ee/uploads/ckeditor/files/31662542511.pdf
- https://feedproxy.google.com/~r/skout/mBVl/~3/6naE_Nh8_CY/uplcv?utm_term=download+vidmate+apk+for+pc+windows+7
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d4e6.bin` `39ef0e49d1503fd1361a92623305d5b1cd4503e1d4f6128a40bb8f6fb990b863`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD4E6	11076 bytes
`font_01_sfnt_off0000eec3.bin` `81ce19107fd2893bb300e9009f600ed0e996a837bec2d05b42915b825e801ecc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEEC3	18432 bytes
`font_02_sfnt_off00011df6.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11DF6	16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.