PDF malware analysis — malicious · 76ac467ad36b86a7

MALICIOUS

PDF

101.2 KB Created: 2021-06-27 22:20:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-25

MD5: bb2a25dbc6c191c1697069bb05ce1e40 SHA-1: ff80722f32d96fee510e1958b55d7ae1360b0d75 SHA-256: 76ac467ad36b86a7b76e9265007c57624b0ead296f1d2205842e4e5ff175782f

164 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous links pointing to compromised WordPress sites, suggesting a link farm designed to host and distribute malicious files. The ClamAV detection and ML classifier strongly indicate malicious intent, likely for phishing or malware delivery. The presence of a 'download button' heuristic further supports the lure-based attack pattern.

Machine Learning

Nyx PDF Classifier malicious score 0.9923

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bad3078fec0---3544825845.pdf In PDF document text
- http://discarga.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c11f7634183---gapefumisefusepa.pdfIn PDF document text
- http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b288103bc4a---zobetazo.pdfIn PDF document text
- https://shinyjewellers.com/wp-content/plugins/super-forms/uploads/php/files/rvefm5b45q4mvlm4vlb1ge4d6b/2248885387.pdfIn PDF document text
- https://www.hediyevideo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609d20548a239---jizoviripidejojefu.pdfIn PDF document text
- http://scandirent-new.ru/uploads/assets/file/gupixusepasajinudezam.pdfIn PDF document text
- http://mg001.cn/upload_fck/file/2021-5-11/20210511224628461030.pdfIn PDF document text
- http://www.saraviation.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d34ece73b1c---67676289445.pdfIn PDF document text
- https://rubin2000-distribuitorshop.ro/userfiles/file/54752030965.pdfIn PDF document text
- https://beaumont-residence.com/wp-content/plugins/super-forms/uploads/php/files/127jfeb6em7obdsl4h3etfr9n0/nazimexegemuzezuvotoz.pdfIn PDF document text
- http://asirius.su/wp-content/plugins/super-forms/uploads/php/files/d62962827a07d8d9c20dd392f35940f6/22370314130.pdfIn PDF document text
- https://rlvanstory.com/wp-content/plugins/super-forms/uploads/php/files/4139d30284869345e60c390a2094423b/9810707053.pdfIn PDF document text
- https://floridaholidayplanner.com/wp-content/plugins/super-forms/uploads/php/files/7f62c6500833484fb8a32733208d8fed/tewofuko.pdfIn PDF document text
- http://www.gaviprintpack.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bdaa53e0b86---pibat.pdfIn PDF document text
- http://www.medicalalliedtraining.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ad94cad174a---58985690376.pdfIn PDF document text
- http://www.shipsupply.co.mz/wp-content/plugins/formcraft/file-upload/server/content/files/16088cf5728ca0---21567191808.pdfIn PDF document text
- http://hong-tour.com/FileData/ckfinder/files/20210624_0FE9575BF22C0B71.pdfIn PDF document text
- http://kino-profi.com/wp-content/plugins/super-forms/uploads/php/files/aa1929524b90c3a855ef0f1286b46f4a/boxoximijemozu.pdfIn PDF document text
- https://ecomassage.pt/wp-content/plugins/super-forms/uploads/php/files/0f0unojd2m4t5vuraqo8q08m4t/40881784833.pdfIn PDF document text
- http://www.euro-fly.eu/userfiles/files/25092855902.pdfIn PDF document text
- https://sharidendesignasphalt.com/wp-content/plugins/super-forms/uploads/php/files/0fec19684d04e372fe800d7a6e134872/vasamanawaraz.pdfIn PDF document text
- http://tingyi-bnb.com/CKEdit/upload/files/44266083495.pdfIn PDF document text
- https://www.dyna-tech.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160c54cde4b2c7---62045480948.pdfIn PDF document text
- http://www.linkkorea.co.kr/wp-content/plugins/formcraft/file-upload/server/content/files/160add4b766e58---ritajakof.pdfIn PDF document text
- http://coffee33.ru/archive/file/98540970899.pdfIn PDF document text
- https://feedproxy.google.com/~r/skout/mBVl/~3/fzgW7-mxBc0/uplcv?utm_term=buried+zombies+mapPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00012526.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12526	19096 bytes
SHA-256: `0fdb6f853ce91ff6fac88847387abc8bbed4ac4c28274179ee84b34770bf1416`
`font_01_sfnt_off00015715.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x15715	10656 bytes
SHA-256: `7d10b0a2c66273e24a0baa9c3d35fefa6cf2f560a0141ef559be2c57ad30f445`
`font_02_sfnt_off00016f54.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x16F54	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`

Open this report in the interactive analyzer, or submit your own file for analysis.