PDF malware analysis — malicious · 71ac8043b0b67859

MALICIOUS

PDF

93.0 KB Created: 2021-06-28 21:02:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-29

MD5: 1a123ded1d671bbbc35acc5e84693f53 SHA-1: 8fbce0c4c898f25ef933f7a457f418dcda416885 SHA-256: 71ac8043b0b678598a3b7f164e30d12f3e4b4408c5c6e18fe6122508bf489be6

176 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains numerous links to compromised WordPress sites, suggesting it's part of a link farm designed to redirect users to malicious content. The heuristic 'SE_CALLBACK_LURE' indicates the document likely presents a fake billing or security issue to prompt a user to call a number or visit a link, aligning with phishing and tech-support scam tactics.

Machine Learning

Nyx PDF Classifier malicious score 0.9937

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://queure.ru/uplcv?utm_term=joining+an+extension+to+a+conservatory PDF link annotation
- http://www.gametimecatering.com/wp-content/plugins/formcraft/file-upload/server/content/files/16080b490e0086---silam.pdfIn PDF document text
- https://stagerightstaging.com/wp-content/plugins/super-forms/uploads/php/files/90371c7c5bd00028613991c8d813c1dc/51974143908.pdfIn PDF document text
- http://liburnia.pl/userfiles/file/lemudoga.pdfIn PDF document text
- https://ccveg.org/wp-content/plugins/super-forms/uploads/php/files/mcv30lki71vdjarp4ghb3q878m/24995739240.pdfIn PDF document text
- https://www.straightmyteeth.eu/wp-content/plugins/super-forms/uploads/php/files/5c11f5ce78e50ac10f130596b6c0f5fa/41801253232.pdfIn PDF document text
- http://asesorialuishervas.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b49e26123c6---26464722795.pdfIn PDF document text
- http://www.hkwebdesign.com.hk/wp-content/plugins/formcraft/file-upload/server/content/files/1608487b6681bc---guvorizinuvakozevizatoz.pdfIn PDF document text
- http://mgmkt.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16079d48939953---3085808804.pdfIn PDF document text
- https://gservicepz.com/wp-content/plugins/super-forms/uploads/php/files/1729ab7108359e979ec43300ed917ea3/40845697384.pdfIn PDF document text
- http://www.viksexteriors.com/wp-content/plugins/formcraft/file-upload/server/content/files/16074229787e3c---mirufebepanavuza.pdfIn PDF document text
- http://ziepniekkalns.lv/wp-content/plugins/formcraft/file-upload/server/content/files/160784378bc7a0---20238008194.pdfIn PDF document text
- http://zrdb-drogbud.pl/Upload/file/wetekexowovusabipobo.pdfIn PDF document text
- https://inchirierielicopter.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160a5242166027---76928923329.pdfIn PDF document text
- http://1utilaje.ro/mm/file/banexivebitaxabudevolugu.pdfIn PDF document text
- https://him-home.ru/wp-content/plugins/super-forms/uploads/php/files/a9d6588ef18f2a1d94e19207ab382482/70110254589.pdfIn PDF document text
- http://didocrosby.com/imagenes/file/4585458645.pdfIn PDF document text
- http://hitecds.com/userfiles/file/13833129665.pdfIn PDF document text
- https://athensviptour.com/wp-content/plugins/super-forms/uploads/php/files/46bf40a433ceda13608fc5cde12c84a3/gukevekagagubafiwopobolep.pdfIn PDF document text
- http://renovator.cz/files/file/6625353137.pdfIn PDF document text
- http://glcore.net/ckfinder/userfiles/files/38442493630.pdfIn PDF document text
- http://hchs1972.com/clients/2/2c/2cb73362227bcfbd3ed6ae01b5b3dc46/File/53464923518.pdfIn PDF document text
- http://www.lifestaralberta.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a607e61aaeb---teliminukidikopiv.pdfIn PDF document text
- http://akcjonariusz.com/UserFiles/file/pigevewazenimewibomopup.pdfIn PDF document text
- https://alphaveneers.co.uk/wp-content/plugins/super-forms/uploads/php/files/1b4edfc2a0ee31c9a7baf50c0b435d9c/44468292223.pdfIn PDF document text
- http://slp72.com/clients/7/7b/7b902bee17765b19ebdde6030f24742d/File/12340810995.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000108c3.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x108C3	17120 bytes
SHA-256: `051d8a31ee990de89378c851db8e7fa3f9081db4c68edc442d02d0f135b1b81c`
`font_01_sfnt_off0001358c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1358C	10632 bytes
SHA-256: `c4ae6576a1444f4adc16374a73e5d8a7e4a44b2b741373fb9cad9432616feb10`
`font_02_sfnt_off00014e2a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x14E2A	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`

Open this report in the interactive analyzer, or submit your own file for analysis.