PDF malware analysis — malicious · 3e30d26f2e6326bd

MALICIOUS

PDF

93.9 KB Created: 2021-07-01 10:02:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-20

MD5: 2912482a0c1f00f82d3c96692b2a50ad SHA-1: 993986b5d4e433a1776babf856d62e1635856a32 SHA-256: 3e30d26f2e6326bdfd94e9ac8a9eefbba950086bcef1826793f2adb95cdeffa3

176 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The sample is a PDF that contains a link farm pointing to other PDFs hosted on compromised websites, a common tactic for distributing malicious content. The ML classifier and ClamAV detection strongly indicate maliciousness, likely related to phishing or a scam. The document body is heavily obfuscated and unreadable, preventing a deeper analysis of its specific lure.

Machine Learning

Nyx PDF Classifier malicious score 0.9935

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://heritagelogs.com/wp-content/plugins/super-forms/uploads/php/files/hlo99mtqg2uqjnb3d7f4qtel0b/vikegiwujatigin.pdf In PDF document text
- https://athensviptour.com/wp-content/plugins/super-forms/uploads/php/files/e9395b4f3bcd9f786f565ed03a5c7e7d/juwupowenobalufoxunikap.pdfIn PDF document text
- http://msamerica.net/clients/873634/File/323843785.pdfIn PDF document text
- https://www.areatransfers.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607921a2801d3---paputoziwin.pdfIn PDF document text
- https://wccia-vastu.com/wp-content/plugins/super-forms/uploads/php/files/4ee399d8d0e09d817ad93f0c686baa0f/8771796531.pdfIn PDF document text
- http://hzdsbg.com/uploadfile/1623683882.pdfIn PDF document text
- https://legacyltg.com/wp-content/plugins/super-forms/uploads/php/files/d597a3b8cda8116cfb07b4fe74c522b1/61561498146.pdfIn PDF document text
- https://agsposure.org/wp-content/plugins/super-forms/uploads/php/files/8c64efaabb92e66213c9ad96f22bc0b3/vufalijezewipozere.pdfIn PDF document text
- https://www.kbstephens.com/wp-content/plugins/super-forms/uploads/php/files/6f0373d1c15724dab8d468e7b54b5fdc/93463073000.pdfIn PDF document text
- http://esoftland.com/userfiles/file/vobedamepep.pdfIn PDF document text
- https://www.thecandystoresudbury.com/wp-content/plugins/super-forms/uploads/php/files/4gb65kp4tpm2gdfb98fhi15usa/94390968897.pdfIn PDF document text
- http://opalbiosciences.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609b797c0df24---54740143314.pdfIn PDF document text
- http://www.argentum.com/wp-content/plugins/super-forms/uploads/php/files/hhf3ifl5ifsbaarmse4b4d3ihh/81971150413.pdfIn PDF document text
- http://www.highlandmetals.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160c0250ee2729---93882268279.pdfIn PDF document text
- https://edoxmarketing.com/wp-content/plugins/super-forms/uploads/php/files/uf4g6ek93ahfirrg5m395rlk9m/89773002401.pdfIn PDF document text
- http://thelonerangerfanclub.com/ckfinder/userfiles/files/gopukofemilotosifix.pdfIn PDF document text
- http://hellnocancershow.com/wp-content/plugins/formcraft/file-upload/server/content/files/160968503ce524---galisijamewo.pdfIn PDF document text
- http://regimhotelierbucuresti.com/images/userfiles/vilewejizifizi.pdfIn PDF document text
- http://az4group.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607f92d3d2ffe---taxofemewerivem.pdfIn PDF document text
- http://anthonyvienna.com/sites/default/files/file/34191675789.pdfIn PDF document text
- https://www.drserapkagan.com/wp-content/plugins/super-forms/uploads/php/files/kkte15i4llktjt3ir5e36l94sd/jizonumukenofino.pdfIn PDF document text
- http://thevelascofamily.com/clients/11614/File/rimilukepesabukuli.pdfIn PDF document text
- https://islandsvefir.is/wp-content/plugins/super-forms/uploads/php/files/3n71quov69ql6i82lkgsahltng/63122625218.pdfIn PDF document text
- http://for-rent-antwerp.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a1e260043cf---65938935088.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/DOqCt-cVA4I/uplcv?utm_term=stock+loss+carry+forwardPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00010b65.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10B65	10508 bytes
SHA-256: `127929af6c99aa0931a8084e5fa24ab758904436a610ce00b6be3b348cec65c2`
`font_01_sfnt_off0001238b.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1238B	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_02_sfnt_off00013b9d.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13B9D	17784 bytes
SHA-256: `93284f11d1424bc024d57569e4a33d1d855f7034e3ea59525ef01e811ba9d9d6`

Open this report in the interactive analyzer, or submit your own file for analysis.