PDF malware analysis — malicious · 6d65e456509ca02e

MALICIOUS

PDF

349.1 KB Created: 2021-07-02 11:50:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: ee2a8f5dbed3885f98f79258b37d65d3 SHA-1: c109591144e63efae2e1d87761eb9722971d589b SHA-256: 6d65e456509ca02ed56149cbd787bec33940fd367667372f1238509683d9ee78

126 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains numerous links pointing to compromised WordPress sites, specifically within the formcraft plugin's file upload directory, suggesting a phishing or malware distribution scheme. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or delivering a trojanized PDF. Although no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a malicious campaign.

Machine Learning

Nyx PDF Classifier malicious score 0.9778

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://www.medicalart.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160b3f9c79cc70---82116799659.pdf
- http://busangh.com/attfile/fckimg/file///2021061804457_458578426.pdf
- http://abwlanham.com/uploads/files/kuzedujiwugededufo.pdf
- https://www.nosolodespedidas.es/wp-content/plugins/formcraft/file-upload/server/content/files/160bb121a85d4b---kiwatigefegepunim.pdf
- http://www.aportecnica.com/imagenes/editor/file/96596105670.pdf
- http://pnktools-th.org/ckfinder/userfiles/files/nesoxuwodewedosoduritupu.pdf
- https://storage-in-motion.com/wp-content/plugins/formcraft/file-upload/server/content/files/16070f503e1dcd---58142963222.pdf
- http://thefutureofgolf.eu/wp-content/plugins/formcraft/file-upload/server/content/files/16079bebac310d---19609419077.pdf
- http://penoplex24.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160879d60dd0c8---70127892404.pdf
- http://airconbank.com/upload/fckeditor/file/fefigasi.pdf
- https://daaeportrett.no/upload/file/74425924054.pdf
- https://ahi.com.ua/wp-content/plugins/super-forms/uploads/php/files/c754ce2e3d04698d5151a71ac8110951/26291898512.pdf
- https://diversifiedhumansolutions.com/wp-content/plugins/super-forms/uploads/php/files/7768fd44bed1fde35634303bd9ae6483/56347951764.pdf
- https://murten-hotels.ch/userfiles/files/80807680754.pdf
- https://heykidsletscook.info/wp-content/plugins/super-forms/uploads/php/files/3b989a8b18836cee652e01703fcbf3d1/tonaxodibuvadomevaduxugit.pdf
- http://nadiadsa.org/userfiles/file/xuzimumigerirujinas.pdf
- https://www.hauptsache.cc/wp-content/plugins/formcraft/file-upload/server/content/files/16078286117bcd---98770414050.pdf
- https://alenakovalchuk.ru/wp-content/plugins/super-forms/uploads/php/files/6d90bbfdfbd78d8d305647a77b4905ae/4268799365.pdf
- https://turkihale.com/userfiles/file/55072551956.pdf
- https://aplusadvance.com/naver_editor/data/file/78977612134.pdf
- https://www.citysecurity.org.uk/wp-content/plugins/super-forms/uploads/php/files/metu7qrut8pcspe1e8va6kpakj/fomuxexametitefarerubutal.pdf
- https://landlorddebtadvisory.com/wp-content/plugins/super-forms/uploads/php/files/fudfhhda92b40nokhgae1oc444/dogavilozevomimi.pdf
- http://xn----7sbabaajmdfbk3ddf3azka3b6a2r.xn--p1ai/ckfinder/userfiles/files/valutov.pdf
- http://amtusa.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f70ff25e1e---tojimiwojubelemuwulo.pdf
- https://feedproxy.google.com/~r/skout/mBVl/~3/YTWXjIUwRh0/uplcv?utm_term=match+each+vocabulary+word+from+the+article+with+the+correct+definition
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0004f1c6.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4F1C6	16792 bytes
`font_01_sfnt_off000509d8.bin` `19586998656833b1886d2a5089e4c0bac713b30dfdff5d714537b520f200556b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x509D8	26088 bytes
`font_02_sfnt_off00054c02.bin` `9673fa3f1d9706a79ba32daed28cc4639fb3d743f3907c30a000f58013844c66`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x54C02	11072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.