PDF malware analysis — malicious · 64bea4c1e97d4d12

MALICIOUS

PDF

94.5 KB Created: 2021-07-05 01:53:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-25

MD5: 4989946698a29b53ac6b2c92d647aa9c SHA-1: a9a829a6cdadaf4a591416f5cfcdb04dc8f1e48e SHA-256: 64bea4c1e97d4d1219e1ee12136de3661cd69240a7bb2c51f12fd578e1ca32dd

176 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous links pointing to compromised WordPress sites, suggesting it's part of a link farm designed to redirect users to malicious content. The presence of embedded URLs and the nature of the heuristics strongly suggest this PDF is used as a lure, likely for phishing or to deliver a second-stage payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9942

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL

PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160cc138187d50---22066311765.pdf In PDF document text
- https://controlcert.se/wp-content/plugins/formcraft/file-upload/server/content/files/16073af246bb91---jesomegoxawi.pdfIn PDF document text
- http://www.communityheroesproject.org/wp-content/plugins/formcraft/file-upload/server/content/files/160cb81e30eb53---96984079853.pdfIn PDF document text
- https://www.taxiserviceh24.com/wp-content/plugins/formcraft/file-upload/server/content/files/160cc18c0313b6---71888551234.pdfIn PDF document text
- http://www.suffaheducation.com/wp-content/plugins/formcraft/file-upload/server/content/files/16084da84d28ff---vaponefeminafawetu.pdfIn PDF document text
- https://thewentworthco.com/wp-content/plugins/super-forms/uploads/php/files/1csqpr2j9s7sqm3qlh8ltonrhr/gepamuwuzit.pdfIn PDF document text
- http://dui-antidote.com/images/userfiles/file/43025975593.pdfIn PDF document text
- http://osullivanspressurewashing.com/wp-content/plugins/formcraft/file-upload/server/content/files/16071692989bf5---28763251996.pdfIn PDF document text
- https://web-sila.ru/wp-content/plugins/super-forms/uploads/php/files/c2d11548dbc0b8ddc50f13c4e8e37b6d/saluxakegawufojiribixe.pdfIn PDF document text
- https://rjiminfra.com/wp-content/plugins/super-forms/uploads/php/files/def33b764b0ccbc935ed2c37245b3cb3/47830988278.pdfIn PDF document text
- https://www.caesarstravel.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606e288f026ea---bosivazimevukalesefam.pdfIn PDF document text
- http://104.156.58.56/~web2inbox/wp-content/plugins/formcraft/file-upload/server/content/files/1606f073a30cd5---79209824711.pdfPDF link annotation
- http://xn--90ad5ackt1d.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/d9a3dd5f10d393225f69381d7967c0eb/41104375912.pdfIn PDF document text
- http://www.magicapro.it/wp-content/plugins/formcraft/file-upload/server/content/files/1606cfa2ad5585---sipotalasiwajaxupon.pdfIn PDF document text
- https://pima-alarms.rs/slicice/file/16580879258.pdfIn PDF document text
- https://artbynela.com/uploads/file/bebimilelajinizat.pdfIn PDF document text
- https://ocvirapuato.com.mx/wp-content/plugins/super-forms/uploads/php/files/ec8e58f0fe38168b0312fcacc75fc116/21662847689.pdfIn PDF document text
- https://jetzterstrecht.hamburg/wp-content/plugins/super-forms/uploads/php/files/i5funu0veiq3pmn3e5u9ood0aj/zunetasilegumuxolamusurow.pdfIn PDF document text
- https://gulyaskantin.hu/uploads/frontend/files/88085158688.pdfIn PDF document text
- http://secohthailand.com/file_media/file_image/file/nugawabumilugul.pdfIn PDF document text
- http://vilaportugal.com/wp-content/plugins/formcraft/file-upload/server/content/files/160af5d12f211f---siwikukax.pdfIn PDF document text
- http://nordicaluminium.ru/userfiles/file/dubekuxuzaxinobelavetudex.pdfIn PDF document text
- https://heykidsletscook.info/wp-content/plugins/super-forms/uploads/php/files/b32eba608dc3ab1a931d42ee2cacc417/48950038082.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/3vuEKuznOb8/uplcv?utm_term=approaches+to+the+study+of+public+administration+pdfPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00010c12.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10C12	17524 bytes
SHA-256: `c576c4dba3b48b922d709fba072411f3a767104fe406efba993e3d338a3058f8`
`font_01_sfnt_off00013a2c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13A2C	11220 bytes
SHA-256: `0b6154ca84fdf70108fd43350b5e9e3cba2636fbc2e9e9ad0c3f4adbf444ff86`
`font_02_sfnt_off00015415.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x15415	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`

Open this report in the interactive analyzer, or submit your own file for analysis.