PDF malware analysis — malicious · 6ed8f903a9c5f1fa

MALICIOUS

PDF

84.2 KB Created: 2021-09-16 05:28:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 83ec578ca73964c469834f284035c515 SHA-1: bc68aed811d6f0d7bf0366ae1f0aaf05bbdd251c SHA-256: 6ed8f903a9c5f1fa5642e6a63c91d38f2ab5b4782a75b7dfecbefab5c8c35639

176 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains a link farm pointing to compromised websites, a common tactic for distributing malware. The ML classifier and ClamAV detection strongly indicate malicious intent. The document's structure and embedded URLs suggest it is designed to trick users into downloading a secondary payload, likely a trojan.

Machine Learning

Nyx PDF Classifier malicious score 0.9977

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://trevorhannant.com/54890129825.pdf
- https://yomadesign.com/userfiles/Proj_Name/files/pivitomiwidobokikar.pdf
- https://ibrahimkoc.com/images/Media/files/ludaluneniwavixorinodopej.pdf
- http://stroyindustry.com/userfiles/file/99092403771.pdf
- https://adetexfoamgroup.centralcms.cloud/galeria/files/44184044335.pdf
- https://premiumvipbusiness.com/wp-content/plugins/super-forms/uploads/php/files/f0316e4c4b9656f5dc2a16a310aab264/bekaxopulowamujigik.pdf
- http://steelbo.com/uploads/admins/u0/files/20210905105622.pdf
- https://juvelyrikoscentras.lt/Files/file/sotubafiralerenelivebi.pdf
- https://yellowmangocafe.com/userfiles/file/53724813600.pdf
- http://www.christinemartin.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16142976c22184---jevomitawekeder.pdf
- https://medius.sk/userfiles/file/87556590645.pdf
- https://phoenixknights.co.uk/wp-content/plugins/super-forms/uploads/php/files/3899cbe2ab9d477a82e72e4e893d07eb/37562472625.pdf
- https://girl0229960192.com/upload/users/files/bepovadebikovigizudodoj.pdf
- http://p-jtech.com/userData/board/file/buwuxesulajovitiv.pdf
- https://www.champagne-auge-dascier.com/ckfinder/userfiles/files/70501290605.pdf
- http://happysmilecard.com/uploads/files/fipofusarojakevaloxufazam.pdf
- http://suliaox.com/v15/Upload/file/2021911919536726.pdf
- http://guowangcable.com/d/files/76488558880.pdf
- http://hitecds.com/userfiles/file/ruxebojaxirugab.pdf
- http://camdohungdung.com/upload/files/89461420488.pdf
- http://33podarka.ru/pictures/files/gulanafamutukotoxude.pdf
- https://asiahealthcaredentalcentre.com/ckfinder/userfiles/files/xisawisuwewakofutaji.pdf
- https://sinaia-vik.com/admin/fckeditor/editor/filemanager/connectors/php/file/38783981430.pdf
- https://feedproxy.google.com/~r/Uplcv/~3/GLLx1DTH0VQ/uplcv?utm_term=pickup+truck+robot+mod+apk
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e406.bin` `cd47a3d3da923ec113923482ede46d1fa2411faa3e066d20684a2283b9567f75`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE406	18192 bytes
`font_01_sfnt_off0001132b.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1132B	16792 bytes
`font_02_sfnt_off00012b42.bin` `1f3da39bdabd25cf8e8924cdc4bc14df867c9b5f30a3ac252b650a1cc5aaa9e6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12B42	10556 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.