PDF malware analysis — malicious · 5c2759e91deffeb0

MALICIOUS

PDF

72.6 KB Created: 2021-06-12 05:48:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-14

MD5: 28ea30ef7ccdd617fa16c233874533ec SHA-1: abddab6a4e4771da920d7803aac64e339114ac0c SHA-256: 5c2759e91deffeb07a7ac67aab0cb3a3e05b97ebf87781a0f3a222bf0de35818

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous links to external websites, many hosted on compromised CMS platforms or disposable domains, suggesting a link farm or phishing lure. The document body, though heavily obfuscated, contains references to 'PDF editor online merge pages' and 'wkhtmltopdf', likely serving as a pretext to direct users to malicious URLs for further exploitation or credential harvesting.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ketchas.ru/uplcv?utm_term=pdf+editor+online+merge+pages PDF link annotation
- http://remobudostol.pl/pliki/kisebaz.pdfIn PDF document text
- http://hi-reid-solutions.com/wp-content/plugins/super-forms/uploads/php/files/89c00345b0dc30ee29ff1af3f0598a60/kedenenusopi.pdfIn PDF document text
- http://www.olympussverige.se/wp-content/plugins/super-forms/uploads/php/files/3l7p1dk7oktc8htidluq3v8f8o/18232131168.pdfIn PDF document text
- http://dioceseofniranam.org/userfiles/file/vatopepugiwi.pdfIn PDF document text
- https://coevent.ru/upload/files/konasoleb.pdfIn PDF document text
- https://anzmrrn.org/wp-content/plugins/formcraft/file-upload/server/content/files/1609dbf741bb55---95336863971.pdfIn PDF document text
- http://vinag7furniture.com/app/webroot/files/editor_upload/files/59852236684.pdfIn PDF document text
- http://compie.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160ac1e474fc06---tidijulizaw.pdfIn PDF document text
- http://www.eflox.net/wp-content/plugins/formcraft/file-upload/server/content/files/160ba811798eff---peginilez.pdfIn PDF document text
- https://muratay.nl/userfiles/file/luletasimenuvelelikope.pdfIn PDF document text
- http://www.cuerpomenteyespiritu.es/wp-content/plugins/formcraft/file-upload/server/content/files/16090938e0e29a---60229808649.pdfIn PDF document text
- https://christembassybarking.org/wp-content/plugins/super-forms/uploads/php/files/719c999dc44fd371235a130dbd356235/padosilulapifexevapafuz.pdfIn PDF document text
- http://atut-biuro.com/uploaded/file/riwusuzatagisuxom.pdfIn PDF document text
- http://www.cuerpomenteyespiritu.es/wp-content/plugins/formcraft/file-upload/server/content/files/160b636ebd8291---radotadabijobirabiwejiw.pdfIn PDF document text
- https://sasalidayanisma.org/uploads/file/woteviwamovupuluvogujopud.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000db65.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDB65	5360 bytes
SHA-256: `60952fe044f558ce1c47249b53f4c68470898bb052120fed39a507bdaf4b923f`
`font_01_sfnt_off0000ed8b.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xED8B	13376 bytes
SHA-256: `e497b19e53e83fc6fccb6b275c63eef53681ecefd6b7d8291465dd3885e4811a`

Open this report in the interactive analyzer, or submit your own file for analysis.