PDF malware analysis — malicious · 805cc25909521096

MALICIOUS

PDF

130.9 KB Created: 2021-07-21 07:54:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-22

MD5: 779a30495ff818906287e47547b1d02a SHA-1: ec61a5c449c102f07b08cd897d15ea3122821a22 SHA-256: 805cc259095210969338143e19cf2b321a751bcb9ab26c6fb844bb08457c615d

196 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains multiple links to compromised CMS upload storage, suggesting it is part of a link farm designed to host malicious files. The 'SE_CLIPBOARD_COMMAND_LURE' heuristic indicates the document instructs the user to copy and paste content into a command-line context, a common technique for executing downloaded payloads. The ML classifier and ClamAV detection strongly support its malicious nature.

Machine Learning

Nyx PDF Classifier malicious score 0.9903

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE

Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://creationstationdance.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608be83a2b121---29159209285.pdf In PDF document text
- https://heritagelogs.com/wp-content/plugins/super-forms/uploads/php/files/h26hiuckvq6em9r7uiud67jgp1/siremolifarolevevuwetar.pdfIn PDF document text
- http://njnccualumni.com/clients/0/05/05b55d2c4c342460da0dc2f503861b12/File/jozixo.pdfIn PDF document text
- http://www.blackhillsdancecentre.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c4fee8a69e2---pofepijenalitelenonovav.pdfIn PDF document text
- https://people11people.gr/uploads/File/dekirewojaxobid.pdfIn PDF document text
- http://bertoniamministrazione.it/bertoni/public/file/98072764149.pdfIn PDF document text
- http://cjatkinson.com/userimages/16338907940.pdfIn PDF document text
- https://tenekedjieva.com/uploads/file/6650784420.pdfIn PDF document text
- http://www.gdchgs.com/admin/img/files/nugudavewebogut.pdfIn PDF document text
- http://cbgnfinance.com/userfiles/file/32435923888.pdfIn PDF document text
- http://chinhsuasolieu.com/media/files/newom.pdfIn PDF document text
- https://moma-restaurant.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a960c0a45d7---39267249918.pdfIn PDF document text
- http://yds-wcv.jp/free_images/files/tiboriwagosixesu.pdfIn PDF document text
- https://bangprice.com/bangprice.com/beta/cms_image/file/vulerirafebejeser.pdfIn PDF document text
- https://ferdavagnar.is/images/fck/file/losufesikorerotevalu.pdfIn PDF document text
- http://blog.crowdly.com/wp-content/plugins/formcraft/file-upload/server/content/files/160926a68140af---tunibikajaw.pdfIn PDF document text
- http://automsystem.com/UploadFile/file/20210721072852918.pdfIn PDF document text
- http://www.ashtralmedia.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608673a56d713---fagajitopapetitobe.pdfIn PDF document text
- https://event-connections.net/wp-content/plugins/formcraft/file-upload/server/content/files/160965a23cf133---parigewuvimeresibesodopa.pdfIn PDF document text
- http://moveisgarciadigital.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1606c72658d301---98586860504.pdfIn PDF document text
- http://mesotects.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607ca1862341c---nopogetokufa.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/LPIa9PGmDLg/uplcv?utm_term=reinstall+grub+from+live+cdPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000fbe1.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFBE1	17864 bytes
SHA-256: `9b6d076ff5cb553b413a7cf5e642770dc25e5d94f3d2a4ff2a3189ad34f917c4`
`font_01_sfnt_off00012b61.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12B61	62980 bytes
SHA-256: `ef7775856f159df37f09eeb03ca023731a5dca84c2866c54f765d0f975e3ed53`
`font_02_sfnt_off0001cbcb.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1CBCB	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_03_sfnt_off0001e3e2.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1E3E2	11172 bytes
SHA-256: `1a95e08095f271b3a1c1ac7b7c21ac01efbd5a019ee34ab44d08e536c3f3fa4a`

Open this report in the interactive analyzer, or submit your own file for analysis.