PDF malware analysis — malicious · 465ee49b9b13cf63

MALICIOUS

PDF

98.9 KB Created: 2021-09-01 23:58:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-23

MD5: f3bdb8ff97dcfb35b9ab7ac56202c80f SHA-1: 6cced36d00b5691d7e29dce3a3624fd6a5a8fc81 SHA-256: 465ee49b9b13cf63fa458ed05f0becbbfdc08aa89fbc5692af3227b8ca704e77

204 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and a collection of links, many pointing to compromised WordPress upload directories, suggesting an attempt to host malicious files. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates the document likely instructs the user to download a password-protected archive, a common tactic to bypass gateway security. The ML classifier and ClamAV detection strongly support its malicious nature.

Machine Learning

Nyx PDF Classifier malicious score 0.9988

Heuristics 8

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://www.uniqueartzz.com/wp-content/plugins/super-forms/uploads/php/files/sl71enssedcecavb7nmsppeib6/40303378755.pdf In PDF document text
- https://amirep.com/wp-content/plugins/super-forms/uploads/php/files/fc2419998fbb7ebfbaa7095c40418ce4/vefosizi.pdfIn PDF document text
- https://unique.global/wp-content/plugins/super-forms/uploads/php/files/52de7a344722c22b9000a53fa2d57acc/17352891435.pdfIn PDF document text
- http://garagehayashi.com/js/upload/files/bidewasavurizitarudu.pdfIn PDF document text
- https://hkbca.org/UploadFiles/file/20210621194621115.pdfIn PDF document text
- https://nhaban24h.com.vn/wp-content/plugins/super-forms/uploads/php/files/4r7h8cpg9l2e1e99fpii446nbr/velozovesimawupemez.pdfIn PDF document text
- http://luckyassessoria.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607b83176b57a---farowavomuwiresa.pdfIn PDF document text
- http://architects-desk.com/uploadsfile/vexigugibemajijex.pdfIn PDF document text
- https://hoffmanowska.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160954f2bbd3e1---nevumomofusej.pdfIn PDF document text
- http://srividyaastrology.com/userfiles/file/36075808156.pdfIn PDF document text
- http://theopenhouseclub.com/wp-content/plugins/super-forms/uploads/php/files/5929de1078aab46642e9a97d1f1f3229/64710063065.pdfIn PDF document text
- http://planetamama.ru/files/file/1631207499.pdfIn PDF document text
- https://rzfmuhasebe.com/userfiles/file/5437067627.pdfIn PDF document text
- http://buildinggodskingdom.com/webcms/file/pemisumofeporopapi.pdfIn PDF document text
- https://evg-prague.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160762b3f4b450---jinolulajiroredurupikizi.pdfIn PDF document text
- https://thehamptonsbloomington.com/wp-content/plugins/formcraft/file-upload/server/content/files/16077152fe1e51---lileferituvujonawex.pdfIn PDF document text
- https://agsposure.org/wp-content/plugins/super-forms/uploads/php/files/f6f9432a036492659e3fe21fddfcaf40/2562842028.pdfIn PDF document text
- http://www.benvenutialmare.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608a272a7c3d8---lugosere.pdfIn PDF document text
- http://erfolgsapp.de/wp-content/plugins/formcraft/file-upload/server/content/files/16098c87b68303---zewazosoji.pdfIn PDF document text
- http://aklond.com/UploadFilesfile///2021050712270365.pdfIn PDF document text
- https://www.sevgiliyevideo.net/wp-content/plugins/formcraft/file-upload/server/content/files/160a8882fa5d2d---42719193244.pdfIn PDF document text
- https://www.ayersworthglen.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608c9bba151fd---rurarivuwezep.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/BkSY9tpko7c/uplcv?utm_term=jdk+8u171+with+netbeans+8.2+downloadPDF link annotation
- https://bxthirteen.wpengine.com/wp-content/plugins/super-forms/uploads/php/files/6fd97c33871edc34245d3db2a7c97d8c/basoja.pdfIn PDF document text
- http://www.oracle.com/technetwork/java/jIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00011731.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11731	20140 bytes
SHA-256: `a4244311a79b88239e1ef264e1d659d15da30d35144bc2bf3456fa0aeb8fd0ca`
`font_01_sfnt_off00014b1c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x14B1C	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_02_sfnt_off00016333.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x16333	11152 bytes
SHA-256: `65a61bf2809b6e0b38c93914294f88f698e0cc6ca365d2967412bb96a64c3885`

Open this report in the interactive analyzer, or submit your own file for analysis.