PDF malware analysis — malicious · 799dc8317078e058

MALICIOUS

PDF

95.2 KB Created: 2021-08-09 02:10:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-20

MD5: 5b6b5107f2e93eea5e3358322eab144a SHA-1: 3dc6aa5f1167a442a7709ff438b0d134bcb6cb1f SHA-256: 799dc8317078e0580b8779b06b8b05ce31020f2c4f310c36d8e936529b50c7a7

164 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by multiple heuristics and a machine learning classifier as malicious, with ClamAV specifically identifying it as Pdf.Phishing.Trojan. The presence of numerous external URLs, many hosted on compromised or disposable domains, suggests a phishing or malware distribution scheme. The document likely serves as a lure to trick users into downloading further malicious content, as indicated by the 'SE_DOWNLOAD_BUTTON' heuristic.

Machine Learning

Nyx PDF Classifier malicious score 0.9637

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://oniceh.ru/uplcv?utm_term=talking+tom+2+hack+mod+apk+ios PDF link annotation
- https://balajitutorial.com/admin/userfiles/file/bigabemebivoferezefub.pdfIn PDF document text
- https://eminentland.com/admin/userfiles/files/50240352011.pdfIn PDF document text
- https://www.temsilcisitesi.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072a75972509---nikiwakogozunegojixuwalox.pdfIn PDF document text
- https://www.etbsupplies.com/wp-content/plugins/formcraft/file-upload/server/content/files/16073592b45437---daluvatisunimadikuza.pdfIn PDF document text
- http://asu.com.vn/wp-content/plugins/super-forms/uploads/php/files/c2lhvntvagvsgi9jhc0ej6r78c/34049841037.pdfIn PDF document text
- http://washchienluoc.com/upload/file/supizefekixafexigezu.pdfIn PDF document text
- https://eandjfamilyhealthcenter.com/wp-content/plugins/super-forms/uploads/php/files/e9ba70577531660c2034eab449c2b158/10829367060.pdfIn PDF document text
- https://www.booster-p.com/wp-content/plugins/formcraft/file-upload/server/content/files/160be453e15c24---debejatovagalaratenilidu.pdfIn PDF document text
- https://joepromenshealth.com/wp-content/plugins/super-forms/uploads/php/files/d8f24300d7970856d5054ce69356b3f7/65033187737.pdfIn PDF document text
- http://mgocsm.in/userfiles/file/17865028884.pdfIn PDF document text
- http://www.rebranded.tv/wp-content/plugins/formcraft/file-upload/server/content/files/160fd5629d8c1a---devumuv.pdfIn PDF document text
- http://longearedhounds.com/clients/65743/File/bodax.pdfIn PDF document text
- http://zaun-produzent.de/userfiles/file/puxedoxojoretovovuwifu.pdfIn PDF document text
- http://fixafilm.se/userfiles/file/96414575677.pdfIn PDF document text
- http://dhs1970.com/clients/9/98/98bceae81adeaace0f0761aa7b0d12fa/File/39945936420.pdfIn PDF document text
- https://kolodezrus.ru/wp-content/plugins/super-forms/uploads/php/files/36ee2bab151f211521296a85538159f0/rafixakasap.pdfIn PDF document text
- https://www.advids.co/wp-content/plugins/formcraft/file-upload/server/content/files/160748d173d5be---polex.pdfIn PDF document text
- http://brenno-tojestto.pl/userfiles/file/45473517654.pdfIn PDF document text
- https://kristinanamaste.eu/files/52085070303.pdfIn PDF document text
- http://wypelnienia.kratex.pl/wp-content/plugins/super-forms/uploads/php/files/9817d4b23186e851ce75130de9bdbd72/fikaxuxeninupan.pdfIn PDF document text
- https://kabelkyaobuv.sk/editor_uploads/files/26605826126.pdfIn PDF document text
- https://ancoraeducacion.com/images/zajik.pdfIn PDF document text
- https://louvre.lv/res/wysiwyg/file/79926198286.pdfIn PDF document text
- http://www.commandinglife.com/wp-content/plugins/formcraft/file-upload/server/content/files/160786cf238590---vawewuzigividumorowiga.pdfIn PDF document text
- https://phoenixknights.co.uk/wp-content/plugins/super-forms/uploads/php/files/3fc59e8f7a354937a5edaaaaedee9a63/87794078475.pdfIn PDF document text
- http://dancephoto.ru/userfiles/files/metodidumef.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000eea8.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEEA8	2420 bytes
SHA-256: `b4e8398d08a0b2e5a8c845c5f744440ee2aeee5b0aeef4e7989f051fe87d2c6e`
`font_01_sfnt_off0000f910.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF910	17660 bytes
SHA-256: `2f484816c754736ceebb464a4ec77d5f4a71cfc043175a35f6a4e5194832bf28`
`font_02_sfnt_off000126bf.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x126BF	10904 bytes
SHA-256: `481da5cf33c9cccb222cb133cf5b67d5222e0ffe3a71bd07e4aeb9f1220d4cb3`
`font_03_sfnt_off00013f9f.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13F9F	16368 bytes
SHA-256: `ab418013a5a681a25d914f4865e6986b2b5ce80383f8612ca72718f5efb93309`
`font_04_sfnt_off00015605.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x15605	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`

Open this report in the interactive analyzer, or submit your own file for analysis.