PDF malware analysis — malicious · 7b7ff98aea966caa

MALICIOUS

PDF

87.8 KB Created: 2021-07-17 09:12:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07

MD5: 2cbb64a1b4387d34d8e28648e9807c81 SHA-1: da3eb283a2e94c87e73db57cf22e92fe365eb23f SHA-256: 7b7ff98aea966caa8223650ef6ab6835ffcba0a96e7d9dcb27612657c7122297

204 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristics suggest it functions as a link farm and contains embedded JavaScript, likely to facilitate the download of a remote support tool. The document's structure and embedded URLs point towards a phishing or malware delivery scheme.

Machine Learning

Nyx PDF Classifier malicious score 0.9942

Heuristics 8

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Remote-support tool lure high SE_REMOTE_SUPPORT_LURE

Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://conwaychristian.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607322cf3485a---71271439843.pdf In PDF document text
- https://webmodeli.com/wp-content/plugins/formcraft/file-upload/server/content/files/16091fb6885213---bobebobesis.pdfIn PDF document text
- https://vasantviharproperties.com/userfiles/file/10529757824.pdfIn PDF document text
- https://wscnaturalhealings.com/wp-content/plugins/super-forms/uploads/php/files/dbc4d5f035d327179289732ce5c9cbd0/36405420751.pdfIn PDF document text
- https://arte-salon.ru/upload_picture/8779451277.pdfIn PDF document text
- http://gennarimaq.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160c4275693ec5---16303888312.pdfIn PDF document text
- https://pabausa.org/wp-content/plugins/formcraft/file-upload/server/content/files/16082b724e59d1---retemazusen.pdfIn PDF document text
- http://myexamadvisor.com/fck_uploads/files/vesobezuripaduwemotujaf.pdfIn PDF document text
- http://aksaxena.com/bpms/includes/fckeditor_uploads/userfiles/file/28218165981.pdfIn PDF document text
- https://hoffmanowska.pl/wp-content/plugins/formcraft/file-upload/server/content/files/16095d8ea01f40---6039717210.pdfIn PDF document text
- https://vdbergelectro.nl/wp-content/plugins/super-forms/uploads/php/files/86512598d230e154e457aec48fc89a8a/duzeloba.pdfIn PDF document text
- https://clubelsendero.com/img_pag/file/96678358165.pdfIn PDF document text
- http://everbeenmagnet.com/js/upfiles/files/vivij.pdfIn PDF document text
- https://rajaunited.com/contents//files/meramujexofamituzeluverug.pdfIn PDF document text
- https://vuaship.com/wp-content/plugins/super-forms/uploads/php/files/rh00tifbg4egbbqjmit7qm65f9/79234215201.pdfIn PDF document text
- https://oiweld.com/wp-content/plugins/super-forms/uploads/php/files/4ed3b6697c5853ee35b8b9bc2c52df5d/josubedokewuvelomugisopo.pdfIn PDF document text
- http://logistra.fr/ressource/site-image/files/25261628583.pdfIn PDF document text
- http://www.viksexteriors.com/wp-content/plugins/formcraft/file-upload/server/content/files/160cf3e187b1f3---70337236340.pdfIn PDF document text
- https://elsadaulte.com/ckfinder/userfiles/files/gukitufuke.pdfIn PDF document text
- http://faxik.online/ckfinder/userfiles/files/39035238301.pdfIn PDF document text
- https://nicemexico.net/wp-content/plugins/formcraft/file-upload/server/content/files/1608bc433e92ad---foliluxupefatib.pdfIn PDF document text
- http://brandnewgoods.net/userfiles/file/97952066852.pdfIn PDF document text
- https://www.growxponential.com/wp-content/plugins/super-forms/uploads/php/files/bh3q0156salf8j5hcj0dc27kqb/boduputedeka.pdfIn PDF document text
- http://nm-union.ru/ckfinder/userfiles/files/jedonudazuvujuvaxepatep.pdfIn PDF document text
- https://slavica.ru/wp-content/plugins/super-forms/uploads/php/files/ac49630bf353b7d60a5eeed6e3c7719d/12218704525.pdfIn PDF document text
- https://feedproxy.google.com/~r/skout/mBVl/~3/3vuEKuznOb8/uplcv?utm_term=sheryl+swoopes+chris+uncleshoPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f143.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF143	10588 bytes
SHA-256: `0cc9026e425ae5f5b1a88259510a959246f4188f165ac49b212b87fd3b99789d`
`font_01_sfnt_off00010967.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10967	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_02_sfnt_off00012179.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12179	17796 bytes
SHA-256: `31d1d31fca8cead87319bd1503afc698446d17e9bff1d9e2716ca57ad2662b40`

Open this report in the interactive analyzer, or submit your own file for analysis.