PDF malware analysis — malicious · 3af993429dd7e919

MALICIOUS

PDF

74.8 KB Created: 2021-09-02 08:51:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 96612753c765c104c608640a61af989c SHA-1: 28ca5059707b65d6f67f85f25740c836b78ad0bc SHA-256: 3af993429dd7e919b611df87eb88d1add217918b45cc64bf9154d15a4998e910

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. Heuristics indicate the document functions as a link farm, directing users to multiple compromised or disposable hosting sites. These sites likely host further malicious content or phishing pages, aiming to deceive the user into downloading a payload or divulging sensitive information.

Machine Learning

Nyx PDF Classifier malicious score 0.9976

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://jevades.com/aircraft/fckimages/file/kowelisoji.pdf
- https://securitydm.com/slicice/file/13405975551.pdf
- http://ipjanah.ir/wp-content/plugins/super-forms/uploads/php/files/n3ufoh3intv2dckcc3hqn3m926/88289748161.pdf
- http://ucinnovation.ru/admin/ckfinder/userfiles/files/fozifowume.pdf
- https://fotovipvercelli.it/file/66898497859.pdf
- http://pebyte.com/wp-content/plugins/super-forms/uploads/php/files/jelfeolbie1vegnihtofpiakts/vewagesukobekebulepajoga.pdf
- http://angelescare.com/userfiles/file/50261945145.pdf
- http://uat.ideadunes.com/projects/ideadunes-portfolio-site/wp-content/plugins/formcraft/file-upload/server/content/files/160805a456435a---webamolalitezipoworotog.pdf
- http://adhdadvisory.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b2e9d7b9d82---15383122848.pdf
- http://geose.ru/userfiles/file/pipojojijimewupipaxov.pdf
- http://www.eventoptik.de/upload/files/78497438552.pdf
- http://aptekadc.pl/userfiles/userfile/xinijup.pdf
- http://hainescentreasia.com/images/file/26358887832.pdf
- http://admio.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160bbbc60a0340---samukekonewifoxavum.pdf
- http://em-mould.com/ckfinder/userfiles/files/46896612003.pdf
- http://paradisetnl.com/FileData/ckfinder/files/20210724_B2CC4A844731885C.pdf
- http://ankaser.com/userfiles/file/towavazofiwal.pdf
- https://torbay.ru/images/uploads/file/lejodinafavoziz.pdf
- https://www.mysmilestudios.com/wp-content/plugins/super-forms/uploads/php/files/1a9e17e520f35b0a7a2e6a82e2191f78/33006290523.pdf
- http://ride.hu/images/uploads/files/23662861887.pdf
- http://w-f-l.de/user_img/file/totawiz.pdf
- https://remoteworkerclub.com/wp-content/plugins/super-forms/uploads/php/files/5181c5178905bf3e2f53debe98b13ebf/vagagaropu.pdf
- http://recamonde.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160832755215ee---73959837389.pdf
- https://feedproxy.google.com/~r/skout/mBVl/~3/Om9ozkHLxGw/uplcv?utm_term=lectins+pressure+cooking
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c253.bin` `b3c42feff72c9979879b454969707ba03bfc066abe87f08ac8764988860f653a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC253	10488 bytes
`font_01_sfnt_off0000da55.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDA55	16792 bytes
`font_02_sfnt_off0000f267.bin` `b49e53ca665392aa40bd1237d47dbeebda6bcc964bd3041a1ad88f3e797d3fea`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF267	16764 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.