PDF malware analysis — malicious · 65d5d030f16337b9

MALICIOUS

PDF

70.6 KB Created: 2021-09-21 00:45:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27

MD5: f6b8ddc654b6147582f728c8dc66c1f0 SHA-1: 86c074f1d951bd9d7c3ba6cc8774e17bdcd2abcf SHA-256: 65d5d030f16337b9f841d5f541349465588d6138bab1e64ec22c2a963e20ea20

132 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and a significant number of external links, many pointing to disposable domains and compromised WordPress uploads, indicating a link farm designed to obscure the ultimate destination. The ClamAV detection as 'Pdf.Phishing.Trojan' strongly suggests a malicious intent, likely to phish credentials or deliver further malware. The embedded JavaScript is a common technique for initiating malicious actions within PDF documents.

Machine Learning

Nyx PDF Classifier suspicious score 0.2573

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://istanajp2.com/contents/files/wejidofujuvajajere.pdf In PDF document text
- http://aluminial.pnh.pt/js/ckfinder/userfiles/files/sefimiwos.pdfIn PDF document text
- http://marta-galan.com/files/varios/file/57330329557.pdfIn PDF document text
- https://pfhotel.gr/ckfinder/userfiles/files/bulapurexonig.pdfIn PDF document text
- http://resetimpianti.it/reset/public/file/50216492295.pdfIn PDF document text
- http://olsztyntransportmedyczny.pl/userfiles/file/pimixosujiseresene.pdfIn PDF document text
- http://hyundai-dongdo.vn/images/files/gudixunezanelurebonobomej.pdfIn PDF document text
- https://whitesal.com/data/images/file/3654_20210904132533.pdfIn PDF document text
- http://charivne.info/images/file/foduwapumerifeposoxofuveg.pdfIn PDF document text
- https://skinrepublic.vn/webroot/img/files/tupovofixurufonobev.pdfIn PDF document text
- https://akconta.com/uploads/files/51624241511.pdfIn PDF document text
- http://absolutelyneon.com/userfiles/file/4589484153.pdfIn PDF document text
- https://egyiksem.hu/uploads/file/biwumi.pdfIn PDF document text
- http://kqcme.yiaiwang.com.cn/upload/files/51921305710.pdfIn PDF document text
- http://andreagarciam.com/wp-content/plugins/formcraft/file-upload/server/content/files/161397dfb45617---49003580536.pdfIn PDF document text
- http://kfnmdg.com/upfolder/e/files/20210914190133.pdfIn PDF document text
- http://birzebbugastpetersfc.com/files/file/papadofosejidi.pdfIn PDF document text
- http://johndanton.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/22932667296.pdfIn PDF document text
- https://www.dynasil.com/wp-content/plugins/super-forms/uploads/php/files/81e00f0310c5c5e024b9a5eb7c2a88eb/morekilererovo.pdfIn PDF document text
- https://pediatricpotentialsnj.com/PP/PPpng/files/zixojorisulalim.pdfIn PDF document text
- http://www.cheapmotorcycleinsurancepa.com/wp-content/plugins/super-forms/uploads/php/files/4282d5cd7d802d5c7627bb8f1be7045f/nutoxa.pdfIn PDF document text
- http://ginzaramen.us/uploads/files/vogesevigitefufif.pdfIn PDF document text
- http://matras-devison.com/upload/file/18302044346.pdfIn PDF document text
- https://turismo-galicia.es/ckfinder/userfiles/files/89890496386.pdfIn PDF document text
- https://alev.az/userfiles/file/24662830022.pdfIn PDF document text
- https://autotoner123.com/home/autotone/public_html/ckeditortest_WORKING/ckfinder/userfiles/files/moxigawetodiben.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/3vuEKuznOb8/uplcv?utm_term=wavelength+chart+of+electromagnetic+wavesPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000cc58.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCC58	10928 bytes
SHA-256: `fc4edb2e33e51ae6c114da619430729510f0073ac4ca87b0d3227dd01880d9f1`
`font_01_sfnt_off0000e587.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE587	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`

Open this report in the interactive analyzer, or submit your own file for analysis.