PDF malware analysis — malicious · 3a7341af18bcd824

MALICIOUS

PDF

280.9 KB Created: 2021-06-27 14:34:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: adf4490324006263e027e80d1af26d82 SHA-1: 5bcf769b2ac220b2f52ba1155ed1cb273ebd99ae SHA-256: 3a7341af18bcd824df1c12ee5515d53938cbc4ab041e6df677a9bab649452c40

126 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous URLs, many pointing to compromised WordPress sites, suggesting it's used to distribute or host malicious content. The presence of PDF_URI and PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM heuristics further supports this, indicating the PDF is designed to redirect users to potentially harmful external resources.

Machine Learning

Nyx PDF Classifier malicious score 0.9784

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://pistant.ru/uplcv?utm_term=the+guide+to+herbs+for+rpgs+5th+edition
- https://www.chortho.co.uk/wp-content/plugins/super-forms/uploads/php/files/k65i5cu152q6ugc9uguua7d5qe/gudadamagalamalozimipe.pdf
- https://atlasautoglass.com/wp-content/plugins/formcraft/file-upload/server/content/files/16081f000e0605---jimaxefiwegodobunefolek.pdf
- http://www.eflox.net/wp-content/plugins/formcraft/file-upload/server/content/files/1606f61aaa0fbe---18563695928.pdf
- http://palenice.net/obrazky_clanky/file/32472395870.pdf
- http://trackeg.com/en/wp-content/plugins/formcraft/file-upload/server/content/files/160766c7489f86---55232725071.pdf
- https://lynnesnaturaltreats.com.au/wp-content/plugins/super-forms/uploads/php/files/590725e47f3a9bf6e13fa44480d6161b/89194041464.pdf
- http://www.zulfugar.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160a377e3b9134---fivona.pdf
- http://goldenbaycruisesagent.com/userfiles/file/bifotojilekibitozokabif.pdf
- http://socialbomjesus.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/160c2eb8fd5601---xilalepexenodem.pdf
- https://dipinkrishna.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a99ec251960---kidomi.pdf
- https://floorco.allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/81c65f07275b1068fc1f2185c8b9ea2e/xexagagaziwibizusopotad.pdf
- http://smeeing.com/userfiles/files/ruxidabixekudumefawo.pdf
- https://benchmarktransitions.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b45875dbc35---40906679694.pdf
- http://shinserviceodi.ru/wp-content/plugins/super-forms/uploads/php/files/fab3620a8f61dd9f6c9072c56357cd32/sonigobixirul.pdf
- https://www.karavanlakesfet.com/wp-content/plugins/super-forms/uploads/php/files/e63e196e314590643d3b1d70cc6dbde0/2631952013.pdf
- http://southeastern61.com/clients/0/07/0748cf78e2268043913ae7c14e09e996/File/13295333070.pdf
- http://harasim.cz/uploaded/files/67668315259.pdf
- https://eyetracking.pl/userfiles/file/24741683838.pdf
- https://socohoteldanang.com/uploads/image/files/vasapinumobelakonow.pdf
- https://regalcabs.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1609feccf87207---bikeka.pdf
- https://robotics-institute.com/wp-content/plugins/super-forms/uploads/php/files/pbe2lnubk6ssdooms8hac43umi/69358959617.pdf
- http://hilltopperalumni.com/clients/9/93/936f23dc4abb03f6d4a1aae2c8a32781/File/wozumisiwirubinenezozipe.pdf
- http://rheumatology.institute/upload/content/file/11640432736.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0003f3ec.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3F3EC	16792 bytes
`font_01_sfnt_off00040bfe.bin` `4a4aa3e7dc050c827970d21f3ba6e22d31c28e89d89edbddf54acd4e771f0b7f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x40BFE	17616 bytes
`font_02_sfnt_off00043a5f.bin` `cb3eb983108c099cf38a20f4cbf376c8b2dbea573c086959176f2bf269ffaa06`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x43A5F	10908 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.