PDF malware analysis — malicious · 7d6afa5311ea9905

MALICIOUS

PDF

87.9 KB Created: 2021-08-14 02:07:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-23

MD5: 0b42cbf4aaccf7904c1d0a68455f720c SHA-1: cf22cba2f97c9eda770aac3422b4a57a4e48ece3 SHA-256: 7d6afa5311ea9905415cabb4f72c63e32b907c06d56bb33caab95b008e489833

176 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and an ML classifier indicated a high probability of maliciousness. The heuristic 'SE_CALLBACK_LURE' suggests the document is designed to trick the user into calling a phone number, a common tactic in phishing and tech-support scams. While no scripts were extracted, the presence of numerous links to potentially compromised WordPress sites and disposable hosting indicates a link farm designed to redirect users to malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.9982

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://chefinhogourmet.com/wp-content/plugins/super-forms/uploads/php/files/d5d2d7c4bf614364625214c66b49acc3/35549469336.pdf In PDF document text
- https://sunpower.lv/ckfinder/userfiles/files/60981150811.pdfIn PDF document text
- http://lichnyiybrand.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160988de557bc7---lunusegixonodigurox.pdfIn PDF document text
- http://srihemkuntsahibfgp.org/hemkunt/userfiles/file/91359266772.pdfIn PDF document text
- http://gloria-eurex.com/dodewosojuxatukakatudisa.pdfIn PDF document text
- https://tootooair.com/FileData/ckfinder/files/20210701_96A9BBD0A1E977D1.pdfIn PDF document text
- https://qamarapps.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c47a5757f05---newowugebiwagitelasofewa.pdfIn PDF document text
- http://erkerlaender.de/wp-content/plugins/formcraft/file-upload/server/content/files/16098ada6a6cf2---pinirul.pdfIn PDF document text
- https://travelselection.us/wp-content/plugins/formcraft/file-upload/server/content/files/160be246154149---mibulatozubisulonus.pdfIn PDF document text
- https://klingende-zeder.de/wp-content/plugins/formcraft/file-upload/server/content/files/160856b4758c54---12115866713.pdfIn PDF document text
- http://www.scmphotography.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160c480a465e3f---94242211583.pdfIn PDF document text
- http://robbinsfamilyhealthcare.com/clients/2/2c/2c787fa606fc56c3a3a24dfc5409695f/File/27536247151.pdfIn PDF document text
- https://vidaleve.ind.br/ckfinder/userfiles/files/80337254890.pdfIn PDF document text
- https://condominiovillage.com/userfiles/file/joguvogaliw.pdfIn PDF document text
- http://www.advancedevents.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160919844718c2---79098679272.pdfIn PDF document text
- http://tjsijiqing.com/ckfinder/userfiles/files/2021/0803/dd8cc7eeb6b49416833afca147d000f5.pdfIn PDF document text
- http://oneself.pro/wp-content/plugins/formcraft/file-upload/server/content/files/1609fb525df99c---gopugosunu.pdfIn PDF document text
- https://www.shopveriamici.com/wp-content/plugins/super-forms/uploads/php/files/7bon1qhlafhu7c4639it9cr6t7/2250811854.pdfIn PDF document text
- https://elitestrategyglobal.com/wp-content/plugins/super-forms/uploads/php/files/7238f195abe55f703228c4ee09e3a82c/83619007529.pdfIn PDF document text
- http://www.ausafrica.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1607655064930a---2308848637.pdfIn PDF document text
- http://ledson.ru/upload_picture/66538584185.pdfIn PDF document text
- http://julieesteban.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ab88c5beb9f---39641225188.pdfIn PDF document text
- https://siphouse96.com/wp-content/plugins/super-forms/uploads/php/files/ed139ea23f2480ba75dd461b9651b0fd/lufevuj.pdfIn PDF document text
- https://iqmuseum.mn/uploads/files/gosewiloreti.pdfIn PDF document text
- http://mizuho-co.net/file/ck/files/82059451360.pdfIn PDF document text
- https://feedproxy.google.com/~r/skout/mBVl/~3/cv9VXjIrmdE/uplcv?utm_term=what+is+guidewire+insurance+suitePDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f29e.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF29E	17472 bytes
SHA-256: `2788ee27b04b6d255ab4781a684829bbc59b21f8c1623096dcaf969944ebd377`
`font_01_sfnt_off000120da.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x120DA	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_02_sfnt_off000138f1.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x138F1	10664 bytes
SHA-256: `f72a555866e13b6113224c4f63747e7193ec2d56f6a4da6282284c3c6c70aa80`

Open this report in the interactive analyzer, or submit your own file for analysis.