PDF malware analysis — malicious · 7b3492acbbfc8872

MALICIOUS

PDF

66.5 KB Created: 2021-07-21 05:11:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14

MD5: dc78e3a95c32669043d0875b7b580e0e SHA-1: 4963d0fa53f0fb93de5430d01193914f90add83a SHA-256: 7b3492acbbfc8872ee76e96cb12d16072edfc840f01393e20aea1c2be1af3287

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains numerous links to compromised websites, indicating it functions as a link farm to distribute malicious content. Heuristics suggest it's a link farm on disposable hosting and points to compromised CMS uploads, with ClamAV identifying it as a phishing trojan. The ML classifier also flagged it as malicious.

Machine Learning

Nyx PDF Classifier malicious score 0.6824

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://maydongy.com/wp-content/plugins/super-forms/uploads/php/files/065jtebja923pgovi2e10jhbo1/wuregisarululasajuzojase.pdf In PDF document text
- https://www.kngroup.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b8a2b4524c2---jazamililigufixefovi.pdfIn PDF document text
- https://kvkumariajnkvv.org/singhania/downloads/file/60038696728.pdfIn PDF document text
- https://aprilboya.com/userfiles/file/voxogigizu.pdfIn PDF document text
- http://www.mediacomriccione.it/wp-content/plugins/formcraft/file-upload/server/content/files/1609eb6c1d657a---53703649753.pdfIn PDF document text
- https://vinamex.info/uploads/news_file/52640647122.pdfIn PDF document text
- https://shinyjewellers.com/wp-content/plugins/super-forms/uploads/php/files/berqlg3hsrkqmgqf3d0atoaqun/17888826776.pdfIn PDF document text
- http://bethelhanberryaaa.com/clients/2/24/2465ef4bb9bb1b7382310ae17d7cafeb/File/nexutegugizi.pdfIn PDF document text
- https://klcmekatronik.com/ckfinder/userfiles/files/pudexogoliwug.pdfIn PDF document text
- https://www.truegridpaver.com/wp-content/plugins/super-forms/uploads/php/files/614cf2fe09c5972dad91ba8d6c762bbb/lonaxikekusisopafobut.pdfIn PDF document text
- http://haniltm.kr/upfiles/editor/files/23204175579.pdfIn PDF document text
- https://www.espymetcalf.com/wp-content/plugins/formcraft/file-upload/server/content/files/160da2d4804541---48584196875.pdfIn PDF document text
- http://dichvugiayphep.net/hinhanh_fckeditor/file/rukevif.pdfIn PDF document text
- http://www.garriagricola.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607fed6c22b13---63266561608.pdfIn PDF document text
- http://unipell.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160b24ecae1276---36504707649.pdfIn PDF document text
- https://doitsolutions.co/wp-content/plugins/super-forms/uploads/php/files/fee464657e908e9d8f6c3e5a1bdab19a/fuvotezimegem.pdfIn PDF document text
- https://vdbergelectro.nl/wp-content/plugins/super-forms/uploads/php/files/44f95fa8f3537b5085be911e4c8e5eeb/66203132348.pdfIn PDF document text
- http://donkaew-furniture.com/ckfinder/userfiles/files/77160875710.pdfIn PDF document text
- http://2ds-creations.fr/userfiles/file/19921202270.pdfIn PDF document text
- http://www.cafeinca.com/img/public/contenido/file/27547410533.pdfIn PDF document text
- http://omniatel.it/wp-content/plugins/formcraft/file-upload/server/content/files/160b3d1e164b05---14332380330.pdfIn PDF document text
- http://wojno-stal.pl/pliki/file/28341410216.pdfIn PDF document text
- https://dispomydeal.com/wp-content/plugins/super-forms/uploads/php/files/cdb16105bbabc59e280c41a8247152a8/28701324635.pdfIn PDF document text
- http://auksozvynas.lt/userfiles/file/rirewumeronadezuvi.pdfIn PDF document text
- https://jahanchart.ir/data/files/file/lenekokosubub.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/cv9VXjIrmdE/uplcv?utm_term=have+a+great+night+meaningPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e968.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE968	10276 bytes
SHA-256: `e631ccfa0652c189685caa9455a77d3ebeba0a499e6e630781917498adf2e1ac`

Open this report in the interactive analyzer, or submit your own file for analysis.