PDF malware analysis — malicious · 663b5a6c186cf69b

MALICIOUS

PDF

72.0 KB Created: 2021-09-03 20:27:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27

MD5: 79f5bb32a1eaf6a68f85b05ea51367ad SHA-1: 4da1afb55642f5c42de2acd57076fa8bd58fb371 SHA-256: 663b5a6c186cf69beca918ef5ac5fe2e4556cf5d7cb541d90ff9c35254994adf

162 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and numerous links to compromised WordPress sites, indicating a phishing or malware distribution attempt. The ClamAV detection and ML classifier further support its malicious nature. The embedded JavaScript likely facilitates the redirection or download of a secondary payload.

Machine Learning

Nyx PDF Classifier malicious score 0.6691

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://cructi.ru/uplcv?utm_term=embolo+definicion+pdf PDF link annotation
- https://popcouncilinstitute.org/wp-content/plugins/super-forms/uploads/php/files/330b49736f0ee42b1780125a3d12d9ac/bemowopujonusebavapovux.pdfIn PDF document text
- http://www.icodar.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a8f4b2a0322---56549731659.pdfIn PDF document text
- http://ohmamakitchen.com/uploads/files/56581477394.pdfIn PDF document text
- https://steammining.com/userfiles/file/xidezuditu.pdfIn PDF document text
- https://tkpmission.org/wp-content/plugins/formcraft/file-upload/server/content/files/160ba1e9892cd5---5338511720.pdfIn PDF document text
- http://www.kissdocs.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1609f665a2382d---bapamawaxodazokomuzura.pdfIn PDF document text
- https://www.tulsarad.com/my_content/js/ckfinder/userfiles/files/11168172304.pdfIn PDF document text
- http://www.sunarozlem.com.tr/wp-content/plugins/super-forms/uploads/php/files/ds9tegrs566j9pirjc2j23gi20/detalirosawirozeziwu.pdfIn PDF document text
- http://bagandpack.ru/wp-content/plugins/super-forms/uploads/php/files/57080be5ee8cdf25d9fd994eb62fafe0/momepo.pdfIn PDF document text
- https://activepymes.com/pub/file/tuxeresawomivabap.pdfIn PDF document text
- https://www.simplythebestevents.ca/wp-content/plugins/formcraft/file-upload/server/content/files/161041c3b5c534---78489706335.pdfIn PDF document text
- http://cerezolorente.com/files/cerezolorente/_repo/file/zajupofa.pdfIn PDF document text
- http://cameronhaddock.com/wp-content/plugins/formcraft/file-upload/server/content/files/160efd9c07af62---burodejeg.pdfIn PDF document text
- http://ildongwire.com/userfiles/file/jizopipuluxifogajefad.pdfIn PDF document text
- http://structurecreative.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c5a48c25f51---73492131020.pdfIn PDF document text
- http://lotuscourtpune.com/wp-content/plugins/super-forms/uploads/php/files/132d74d1e1dbee61e0f137c4029edb1d/69760666984.pdfIn PDF document text
- http://socialbomjesus.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/16130af75a4846---68158500963.pdfIn PDF document text
- https://www.llgnjinc.com/wp-content/plugins/super-forms/uploads/php/files/15ca394902bc2c938c9f69a39f530c2f/vagupur.pdfIn PDF document text
- http://ck-kutnahora.cz/gais/image/file/83602835244.pdfIn PDF document text
- http://boschvietnam.vn/files/usersfiles/files/puravexozazupu.pdfIn PDF document text
- https://earthchartercities.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607fb2eeaf380---wenebonepovuzuduki.pdfIn PDF document text
- http://www.itbaloch.com/wp-content/plugins/formcraft/file-upload/server/content/files/160be9468daacd---todovurewezikasek.pdfIn PDF document text
- http://cerezolorente.com/files/cerezolorente/_repo/file/xajekukawurugifev.pdfIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e461.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE461	20036 bytes
SHA-256: `8bd1bf76068f69f4b3fc73949fbbeab5265fdd9ecfc2e5e405ab28d8fd81def7`

Open this report in the interactive analyzer, or submit your own file for analysis.