PDF malware analysis — malicious · 67ecb6e72825adfb

MALICIOUS

PDF

97.5 KB Created: 2021-07-07 10:58:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-23

MD5: 0718a31f3436e94aa1b5efaec6fea9e5 SHA-1: 0b230af9afebfd2bebaefaa3ac59e4aac1a9e5c8 SHA-256: 67ecb6e72825adfbf1024a5bfe88228dc0eba6cb076dd15566e8f583f52a9eec

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by ML classifiers and ClamAV as malicious. It contains a link farm with numerous URLs pointing to PDF files hosted on compromised websites, indicating a phishing or malware distribution attempt. The document body is heavily obfuscated and unreadable, suggesting an attempt to hide its malicious nature.

Machine Learning

Nyx PDF Classifier malicious score 0.9822

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://hsegroup.ru/wp-content/plugins/super-forms/uploads/php/files/dqc0qn3j83m3obbn6emndgou72/70510506085.pdf In PDF document text
- http://dgjst.com/upfile/file/57430062762.pdfIn PDF document text
- https://tfnd.org/wp-content/plugins/super-forms/uploads/php/files/f92a0e2b58ec4dbeec424bd214b35dff/34282392496.pdfIn PDF document text
- https://northstarexecutivesearch.com/wp-content/plugins/super-forms/uploads/php/files/52fad90fbddbf96dae8f97af237eb7bc/68767468246.pdfIn PDF document text
- http://famcareconnect.org/wp-content/plugins/formcraft/file-upload/server/content/files/160774a6e3d246---55381575696.pdfIn PDF document text
- https://www.elektrobetrieb-scholz.de/wp-content/plugins/formcraft/file-upload/server/content/files/160c4e823ce6fa---94138902043.pdfIn PDF document text
- https://xn--hjrnskadeakademien-mtb.se/userfiles/file/gipifewobowix.pdfIn PDF document text
- https://www.advids.co/wp-content/plugins/formcraft/file-upload/server/content/files/16087ea867aba3---70940063715.pdfIn PDF document text
- http://www.optionassurance.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1606ead169383b---karexupanowarepef.pdfIn PDF document text
- http://aweibel.com/Photo/file/jezixaji.pdfIn PDF document text
- https://agilitynd.com/wp-content/plugins/super-forms/uploads/php/files/0796709f6c16ef0332ba179a3486c0b5/66251466908.pdfIn PDF document text
- https://btcauction.vn/hinhanh/file/jafaboximamugajoxag.pdfIn PDF document text
- https://www.partyshuttlebus.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16098ac7832061---25213615564.pdfIn PDF document text
- https://123kozijnofferte.nl/wp-content/plugins/super-forms/uploads/php/files/hli2lae6e6cro7hmt14duislf0/xuludopidorafiwelilubuv.pdfIn PDF document text
- https://allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/3525c12f21f0378c775aebc7030c25d2/tamasofapeteseraxegatedum.pdfIn PDF document text
- http://hotelrealerimini.it/userfiles/files/40571342771.pdfIn PDF document text
- http://tsg-edinstvo.ru/userfiles/file/38162507871.pdfIn PDF document text
- https://alphaveneers.co.uk/wp-content/plugins/super-forms/uploads/php/files/a3e618fe6c26e00dab3b5ea3579d78a5/fazowaluza.pdfIn PDF document text
- http://thanhlamresort.vn/wp-content/plugins/formcraft/file-upload/server/content/files/1606fa481514a3---66774132537.pdfIn PDF document text
- http://www.gaviprintpack.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608f364e639a0---kuwokulabo.pdfIn PDF document text
- https://maugli24.ru/wp-content/plugins/super-forms/uploads/php/files/01d1c8caf103267f678ca7c229ed0c05/42126609611.pdfIn PDF document text
- https://g3az.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607d1df33347c---9101276453.pdfIn PDF document text
- https://bikinibody.be/wp-content/plugins/super-forms/uploads/php/files/nsgao645mecnn8jujclmgbsfhl/bubuwo.pdfIn PDF document text
- https://www.bistro-e.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072e4628d3ef---3719511695.pdfIn PDF document text
- https://agribusiness.pk/wp-content/plugins/formcraft/file-upload/server/content/files/16077f682ea0b6---73414946794.pdfIn PDF document text
- http://broadmoor80.com/clients/866172/File/4990415029.pdfIn PDF document text
- https://marciasmithconsulting.com/wp-content/plugins/super-forms/uploads/php/files/db4664d9933326c91802daf7abc46501/14851350834.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/LPIa9PGmDLg/uplcv?utm_term=cartago+costa+rica+things+to+doPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00011822.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11822	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_01_sfnt_off00013034.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13034	17972 bytes
SHA-256: `799088249268a29fe63af4d34646572c11ee1c93cf4cdc4224870ceaf1d5d2b5`
`font_02_sfnt_off00015f38.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x15F38	10504 bytes
SHA-256: `2238fdad594b71fe7c79e8a62650e1e3089d87b070c44be9ed8b860a46398bd7`

Open this report in the interactive analyzer, or submit your own file for analysis.