PDF malware analysis — malicious · 62f047f991488d4e

MALICIOUS

PDF

90.0 KB Created: 2021-08-09 14:46:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07

MD5: e66d6ac5b16e352fcf501af912e035a4 SHA-1: bfd60fd62b174ed9b7b2dc07096e50a65c5b344a SHA-256: 62f047f991488d4e118ef16f0223a7d97172a8492cb9d63cb8416d90a4315fae

236 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains numerous links to compromised WordPress sites, indicating an attempt to host malicious files. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic suggests the document instructs the user to download a password-protected archive, a common tactic to bypass gateway security. ClamAV detection and ML classification further support its malicious nature, likely serving as a downloader for a secondary payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9800

Heuristics 8

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK

PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.sunarnuricomuisvealisverismerkezi.com/wp-content/plugins/super-forms/uploads/php/files/0eiqr4qtd51f5genhpto6mi912/35204200105.pdf In PDF document text
- http://manufim.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/160d099e3e987c---84370624094.pdfIn PDF document text
- http://cameronhaddock.com/wp-content/plugins/formcraft/file-upload/server/content/files/16098a20902806---1997838868.pdfIn PDF document text
- https://www.kiteschule-eckernfoerde.de/wp-content/plugins/formcraft/file-upload/server/content/files/1606fdcc48a224---popusiz.pdfIn PDF document text
- http://thewellmanteam.com/userfiles/files/nubizubewelodamunilinil.pdfIn PDF document text
- https://realimpacto.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16105b9141e0e1---dumekisuvumumitolivutomo.pdfIn PDF document text
- https://htfcompact.com/wp-content/plugins/super-forms/uploads/php/files/f355da422d477b0cb3cb5d9bc6f4dd12/40330537723.pdfIn PDF document text
- https://mobiligennari.com/userfiles/file/9434040620.pdfIn PDF document text
- http://sisparts.pl/zdjecia/fck/file/luvug.pdfIn PDF document text
- https://weddingitaly.jp/images/file/98299368390.pdfIn PDF document text
- http://saikunghouse.hk/userfiles/poviroj.pdfIn PDF document text
- http://tiga.co.th/ckfinder/userfiles/files/ditelomurirujasidijelu.pdfIn PDF document text
- https://elitestrategyglobal.com/wp-content/plugins/super-forms/uploads/php/files/33cadc3922d39690de9c5b2ba560d986/76011572935.pdfIn PDF document text
- https://worldkelo.com/wp-content/plugins/super-forms/uploads/php/files/b921b95c4b516e18b5429ef11420e434/nijuweka.pdfIn PDF document text
- http://structurecreative.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608b1eabe6e86---37459708980.pdfIn PDF document text
- https://cffcommunications.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1/160ab8d404e93d---59037477755.pdfIn PDF document text
- https://gccpay.net/wp-content/plugins/super-forms/uploads/php/files/d12b381768f1fb3fa1ea167f208df1f4/42435752591.pdfIn PDF document text
- http://premiumresourcing.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607176d864079---25290907397.pdfIn PDF document text
- http://veterinariacomportamentale.it/userfiles/files/bilamitetibaguxafe.pdfIn PDF document text
- http://starrwindow.com/clients/863399/File/fanijofewexasejavomope.pdfIn PDF document text
- https://nevisnews.com/userfiles/fojutodesadivebezataguzi.pdfIn PDF document text
- https://robinio.de/wp-content/plugins/super-forms/uploads/php/files/lgh495u2h1f14gqta4e831avvs/50135562491.pdfIn PDF document text
- http://www.guaitoli.eng.br/wp-content/plugins/formcraft/file-upload/server/content/files/1609c6891e78b2---62760026699.pdfIn PDF document text
- http://mobydick-band.de/fckdata/file/8042839531.pdfIn PDF document text
- https://apexforestservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/16080275cbbf43---donubewekidoxenejaz.pdfIn PDF document text
- http://aliancegroup.su/wp-content/plugins/formcraft/file-upload/server/content/files/160943a4ebd26a---toduzivenariri.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/S30rS-6n6vg/uplcv?utm_term=fire+hd+8+tablet+review+2020PDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f968.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF968	17732 bytes
SHA-256: `f6b5f6125e7462f0b85d226f5e493ac3c9d6bdc69416996fa9296c0ecdf300c6`
`font_01_sfnt_off0001284b.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1284B	10672 bytes
SHA-256: `5510ab2c7ae67e7956520c93137866159912a8623732de9edd82d976a7f533b7`
`font_02_sfnt_off000140f1.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x140F1	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`

Open this report in the interactive analyzer, or submit your own file for analysis.