PDF malware analysis — malicious · 76707acdc7f651fa

MALICIOUS

PDF

74.1 KB Created: 2021-06-10 10:19:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 983e8295c927fb7580e48e32c3fc1b1e SHA-1: 4152abda64bc17dffa60846f2fa42c929f75863c SHA-256: 76707acdc7f651fa73c82d0bdae08821691a08c9d84cb5a53989105235ccf2de

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file is classified as malicious by ML models and ClamAV, indicating a high probability of malicious intent. It functions as a link farm, directing users to various compromised websites, including those hosted on WordPress installations. The document body, though heavily obfuscated, contains text related to free music downloads, suggesting a lure to trick users into clicking these malicious links. The presence of external URIs and compromised CMS upload links points towards a phishing or malware distribution scheme.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://catamma.ru/uplcv?utm_term=ride+twenty+one+pilots+mp3+songs+free+download
- http://mko-yug.ru/wp-content/plugins/super-forms/uploads/php/files/1b83ae68c6090d13ca4a4b5d29091018/89014347003.pdf
- https://www.charityweiss.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607d5632658bf---raloderagizujogedi.pdf
- https://lynnesnaturaltreats.com.au/wp-content/plugins/super-forms/uploads/php/files/c3c44205af88b1447aab3282b993fe0a/54586814179.pdf
- https://antoinepanau.com/wp-content/plugins/super-forms/uploads/php/files/3ad0c5df6e7b917a9cbe9b83d9e63e99/31650957389.pdf
- http://conservationenergy.com/wp-content/plugins/formcraft/file-upload/server/content/files/16097d66dc63ef---gevigoxajitove.pdf
- http://allycatering.com/userfiles/tuxivoje.pdf
- http://grupogmec.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c0b141ed85f---vusavobe.pdf
- http://www.rec39.ru/wp-content/plugins/super-forms/uploads/php/files/c224b3d9c258503002234bf6bd5f8b55/32712913163.pdf
- http://cedresarquitectura.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d2b96df1ae---65054739438.pdf
- https://www.teppiche-waschen-hamburg.de/wp-content/plugins/formcraft/file-upload/server/content/files/1608e29f2eb662---22720369175.pdf
- http://www.rkcomdesignservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b675190258---nutipobokuxul.pdf
- http://forglass.sk/userfiles/file/gupupukoz.pdf
- https://independentmusicleague.com/wp-content/plugins/super-forms/uploads/php/files/e148bf39a222e5abba3c14075c711118/36675573092.pdf
- http://www.scmphotography.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1607442dfacc0f---8689562384.pdf
- https://idfusionllc.com/wp-content/plugins/super-forms/uploads/php/files/ce4b6467eb4f3174b5772dde0cf5aa6d/sirejiganuwefeganijokovi.pdf
- http://bizwd.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a8a69a65af6---demamoxufen.pdf
- http://www.everhouse.lt/wp-content/plugins/formcraft/file-upload/server/content/files/1609e13733b971---72707299766.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e325.bin` `0d54608932637ce5dacaa82cda2b70921b3ff2cf46ebf09215c04f1d98d93f68`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE325	5728 bytes
`font_01_sfnt_off0000f6b2.bin` `fc150c4a3cafcf845e6bb5159c392d3e5f4e8d8075c28871cbed41ec108942de`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF6B2	10644 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.