PDF malware analysis — malicious · 750e84dfe49a5813

MALICIOUS

PDF

123.4 KB Created: 2021-09-05 05:28:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: b756465bdbfe0fad4aa53af600bbf8f1 SHA-1: 80477ecf266df738befb16cf07caa7534981f271 SHA-256: 750e84dfe49a5813e43c3f098352cec01eff6255ddc7bc3e81ff9d277fd3ef66

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous links, many pointing to websites hosted on compromised CMS platforms, indicating a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly suggest malicious intent. The document body is heavily obfuscated and unreadable, providing no direct user-facing content but the structure and heuristics point to a link farm designed to redirect users to potentially harmful sites.

Machine Learning

Nyx PDF Classifier malicious score 0.9978

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://khachsansapa.vn/webroot/img/files/20857412567.pdf
- https://amkboiler.com/wp-content/plugins/super-forms/uploads/php/files/m10ocm4q3a3be1i478k1dmi0kl/47034925920.pdf
- http://elsekmont.eu/userfiles/file/40079379251.pdf
- http://littlepearlbooks.in/data/eimages/file/27594065147.pdf
- https://spherule.org/wp-content/plugins/super-forms/uploads/php/files/mbv486qdta50oocafnpibcdn17/deduketelofokum.pdf
- http://jrpst.pl/userfiles/file/18747929300.pdf
- https://abeess.com/userfiles/file/21355402074.pdf
- https://thejinglelab.com/wp-content/plugins/super-forms/uploads/php/files/19bfgvrt87ecdpi34b7a0rom1i/zodixegetopixelopajugep.pdf
- http://murielbellhomes.com/userfiles/files/wukujafipogu.pdf
- https://donnasalon.ru/wp-content/plugins/super-forms/uploads/php/files/cf780567de0610562b732739117ac9a4/zalezewirew.pdf
- https://styliststudios.com/imagesTE/file/xopufekuduzemugelelej.pdf
- https://mymovingestimate.com/wp-content/plugins/super-forms/uploads/php/files/a9f9e54786e30d0e1c5653eac6435018/xuximopebosuxibikadupu.pdf
- http://rudolphalexander.com/uploads/files/gikadufuk.pdf
- http://drinkandshrink.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16085bf3be45e9---60290001736.pdf
- https://all-new-wow.com/upload/files/85034794200.pdf
- http://vivaldiskibus.com/FileData/ckfinder/files/20210823_290A7F4EDA436E6D.pdf
- http://garmagostaran.com/Upload/file/lonuxagiwexi.pdf
- http://georgekoldun.com/var/upload/file/32241176092.pdf
- http://www.mywil.ch/wp-content/plugins/formcraft/file-upload/server/content/files/160b30b1fa290a---90323777564.pdf
- https://adbadog.com/wp-content/plugins/super-forms/uploads/php/files/45cf255f6142c1d074e948ff493de1bb/55364174019.pdf
- http://www.melodypods.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b237312119a---goxatiramaxiwajamin.pdf
- https://feedproxy.google.com/~r/skout/mBVl/~3/zMnd8XtcwSM/uplcv?utm_term=desarrollo+humano+pdf+senati
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0001768b.bin` `fa85c836b31bba1ecf8506694e2f535c6673fac3e79108ee66bab22d3e969a4b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1768B	10864 bytes
`font_01_sfnt_off00018f69.bin` `26ebf99b306462853b295a42e9a3c27c786193cd41c0ac48109f5055d3569004`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x18F69	22104 bytes
`font_02_sfnt_off0001c815.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1C815	16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.