PDF malware analysis — malicious · 6512b27bbf6f7d9f

MALICIOUS

PDF

646.3 KB Created: 2021-05-06 17:28:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24

MD5: b5ec32b43911fba23748febef96650ae SHA-1: 21fc138e0787042ee1d3e9e566348517c6b69338 SHA-256: 6512b27bbf6f7d9f3f8d29830758fae138b43ff7f166e0c4d541f604a4a195c3

126 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains a link farm pointing to multiple compromised WordPress sites, suggesting an attempt to distribute further malicious content. The presence of external URIs and a link farm on compromised CMS upload storage are strong indicators of a phishing or malware distribution campaign.

Machine Learning

Nyx PDF Classifier malicious score 0.8943

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://alemotta.com/resources/original/file/30778986312.pdf In PDF document text
- http://bazatalty.pl/wp-content/plugins/super-forms/uploads/php/files/544ebe4ecf9bd2bd61ac52b09a1fc332/20794130860.pdfIn PDF document text
- http://escolacaritas.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b2dffdbe64---67373683711.pdfIn PDF document text
- http://www.franklinwebdesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c53f10fba2---51094515056.pdfIn PDF document text
- http://bjoybrands.com/wp-content/plugins/formcraft/file-upload/server/content/files/160737ce797534---5974059165.pdfIn PDF document text
- http://www.pirac.org/wp-content/plugins/super-forms/uploads/php/files/1ba23035659c680d33580c3dce96ec4d/vefibaraduxibamo.pdfIn PDF document text
- https://genesisbehaviorcenter.com/wp-content/plugins/super-forms/uploads/php/files/ac884960aed4b95b7c0dc4911b6b876d/rowuwi.pdfIn PDF document text
- http://www.rlktechniek.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16079dbedc3ce6---17862610451.pdfIn PDF document text
- http://www.1atlanticfunding.com/wp-content/plugins/formcraft/file-upload/server/content/files/160841edabcc77---5976326142.pdfIn PDF document text
- http://willtorock.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072632d72e18---74132159894.pdfIn PDF document text
- http://www.fotografoeventimilano.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f5ec9cb499---lotitunedetemomuda.pdfIn PDF document text
- https://www.formwork.co.uk/wp-content/plugins/super-forms/uploads/php/files/si449gpqfbulq0eb0nn2hsrc0c/mudux.pdfIn PDF document text
- https://www.simplythebestevents.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16084a769c6d77---47407663315.pdfIn PDF document text
- https://investainternational.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608e067064d9f---dijuvupipepogukalegakug.pdfIn PDF document text
- http://www.fullmooneye.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608b408370369---22424305912.pdfIn PDF document text
- https://bettenbaehren.de/wp-content/plugins/formcraft/file-upload/server/content/files/160903f5e8eb9c---18755552928.pdfIn PDF document text
- https://infravoip.com/wp-content/plugins/super-forms/uploads/php/files/1d5bcbd0ba54217b1308eb100f2258fe/30597151383.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BkSY9tpko7c/uplcv?utm_term=renaissance+periodization+hypertrophy+template+pdfPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0009c77f.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9C77F	5556 bytes
SHA-256: `926f24dc49c91a89fef57a79590d8f4fcdf49073d1bcf64cb72ad193e2488d53`
`font_01_sfnt_off0009da51.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9DA51	14816 bytes
SHA-256: `419415f538ded15ec250c02992572d1a5bd59beb487f1619d4623c014aca29d2`

Open this report in the interactive analyzer, or submit your own file for analysis.