PDF malware analysis — malicious · 6ca0a40b1adef2c5

MALICIOUS

PDF

90.2 KB Created: 2021-06-28 15:47:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-20

MD5: 4aff5f4b4eebf87eb1d6d11d8b286493 SHA-1: 66c7027336c7485ed1b7b86e461919b0678ed8cf SHA-256: 6ca0a40b1adef2c533e7b1d4d0cba4f1e2f5c880080401a38a6b11cfeb0e893a

164 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristics reveal it functions as a link farm, directing users to compromised WordPress upload storage and disposable hosting, likely to facilitate the download of a secondary payload. The presence of a 'download button' lure further supports a phishing or social engineering attack pattern.

Machine Learning

Nyx PDF Classifier malicious score 0.9835

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ltgtrends.com/wp-content/plugins/super-forms/uploads/php/files/73821f85aeaf3cd619e1dbfd59d71a38/bozovafexakopijizivi.pdf In PDF document text
- https://prokoncept.hu/admin/blogfck/image/file/90968773931.pdfIn PDF document text
- https://personalloan2u.com/wp-content/plugins/super-forms/uploads/php/files/93e427a363fdc2b4864a0ac428ef44bd/momil.pdfIn PDF document text
- https://loan-financial.com/wp-content/plugins/super-forms/uploads/php/files/cc4692108c2b51f06ccbaf6d673a8f9e/korufom.pdfIn PDF document text
- https://www.limratechnologies.net/wp-content/plugins/formcraft/file-upload/server/content/files/160a6d5358a910---siwogunisifefeniba.pdfIn PDF document text
- http://vote4dannybarry.com/clients/2/2f/2f5d4f67c16906f9b09010289963de11/File/53830386873.pdfIn PDF document text
- https://www.mysmilestudios.com/wp-content/plugins/super-forms/uploads/php/files/e9c61e2a1b089f9ffb3c63db8b75a9e2/winifepoparafivanaduwib.pdfIn PDF document text
- http://thegreenlegacykeepers.com/clients/e/e8/e8dc17949b7ef813e9937e453902477f/File/kamurubev.pdfIn PDF document text
- http://www.mvdisposal.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b785c7b0c4e---68199182804.pdfIn PDF document text
- http://silesiacapital.eu/data/file/14797435380.pdfIn PDF document text
- http://www.etoiles-recrutement.com/wp-content/plugins/formcraft/file-upload/server/content/files/16096b91ba1a83---71412091281.pdfIn PDF document text
- http://www.melodypods.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608d5fada09f0---foxupoxebunujuw.pdfIn PDF document text
- http://mfplus.ba/wp-content/plugins/formcraft/file-upload/server/content/files/160ae8b1c45258---witobe.pdfIn PDF document text
- https://www.hintonassociates.com/wp-content/plugins/super-forms/uploads/php/files/ddcb066c08c669f3f1a7f0c1d58481a2/73622761510.pdfIn PDF document text
- https://adm.allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/b9959e0d4ec9eb0db6fd5fbf83988c10/wegod.pdfIn PDF document text
- https://gresathouse.com/wp-content/plugins/super-forms/uploads/php/files/2d93ddf3fd7bd31038d8d7a35a2bec8e/kemugaduse.pdfIn PDF document text
- http://boldogelet.hu/media/59717674688.pdfIn PDF document text
- https://www.rogierstoel.nl/wp-content/plugins/super-forms/uploads/php/files/8psed7a9dl0vh16pem3m4hivc5/mipirewadetapimumuzeto.pdfIn PDF document text
- http://karmand24.ir/basefile/ehotel724ir/files/63971215147.pdfIn PDF document text
- http://cedresarquitectura.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b13e1752d93---piwuni.pdfIn PDF document text
- https://qualitycountscleaning.com/wp-content/plugins/super-forms/uploads/php/files/fa1c6935fdc2084d7435f1c129ccf536/sanedusuzadax.pdfIn PDF document text
- https://kayakbranson.com/wp-content/plugins/formcraft/file-upload/server/content/files/160adee9f454c7---kadumiridimonixukejulalow.pdfIn PDF document text
- http://aaexpansionjoint.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087b840d6960---topitomuv.pdfIn PDF document text
- http://yossy.biz/userfiles/file/vepejawub.pdfIn PDF document text
- https://www.cdscabling.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1607ef98a6848c---vejavaz.pdfIn PDF document text
- http://www.fliesen-brill.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607450bdcdad7---4289062909.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/YTWXjIUwRh0/uplcv?utm_term=bubble+shooter+game+pc+downloadPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000fcc8.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFCC8	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_01_sfnt_off000114da.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x114DA	17048 bytes
SHA-256: `dfb63132ac421b11839f5242ca275e36ea81cabc16984852818d00a1c0d7aa57`
`font_02_sfnt_off0001415e.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1415E	11248 bytes
SHA-256: `067deca57a265cf43a217b7e517f68c6e10f7f65083e2ec0ecf215be83a35a86`

Open this report in the interactive analyzer, or submit your own file for analysis.