PDF malware analysis — malicious · 820af64bb5954049

MALICIOUS

PDF

82.4 KB Created: 2021-05-28 06:38:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: bcf921ba7fcfc91b904ca1943bd33326 SHA-1: 99fe49d6c16e36dc776209c8a9d0b44e7170a377 SHA-256: 820af64bb5954049a385c660ac4a9043e970fa1d9b898ed73a7c38c4e5bd1a57

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The document contains numerous links to external websites, many hosted on compromised WordPress sites or disposable domains, suggesting a link farm or phishing campaign. The presence of a URL with a 'utm_term' parameter implies an attempt to track user engagement with deceptive content.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ketchas.ru/uplcv?utm_term=how+to+do+total+surface+area+of+a+triangular+prism
- https://agrilaui.com/userfiles/file/revajamovev.pdf
- https://www.edutechusa.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a7ea5ee8185---sadavirufovu.pdf
- http://cedresarquitectura.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609ad1768004f---tatugemerubiwalepikanovuz.pdf
- https://benqmusicworkshop.com/fupload/file/76833961773.pdf
- https://thejinglelab.com/wp-content/plugins/super-forms/uploads/php/files/1e88cl4uqq7lj2dk1j78huod18/pemira.pdf
- https://vdbergelectro.nl/wp-content/plugins/super-forms/uploads/php/files/a2eda690de5a54326a46d4bb351ca010/lovesororeriwunuxa.pdf
- https://grafitpoint.ru/wp-content/plugins/super-forms/uploads/php/files/be82127e7ecde5882736ac0f13ba3513/supokulapi.pdf
- https://www.darrellstuckey.com/wp-content/plugins/formcraft/file-upload/server/content/files/16073a773aa4b7---48425607917.pdf
- http://www.tif.cn/wp-content/plugins/super-forms/uploads/php/files/lra0u4dk6n7dtg80jbhdqgpk13/45981561805.pdf
- https://portsidestrategies.com/wp-content/plugins/super-forms/uploads/php/files/fbae15eddc49c94c667a2f94cf60cc0f/wepagopabodobijinixip.pdf
- http://www.iamgoingto1996.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609a1e0cb8136---vimufinokurebisibaduropix.pdf
- http://kibbkw.com/uploads/file/26476120127.pdf
- https://areshin.ru/wp-content/plugins/super-forms/uploads/php/files/682f4f3a903ad550baffee7fd875efba/66732500278.pdf
- https://www.hauptsache.cc/wp-content/plugins/formcraft/file-upload/server/content/files/16077a98340288---63526942851.pdf
- http://aliancegroup.su/wp-content/plugins/formcraft/file-upload/server/content/files/16093b86ac338e---73609783820.pdf
- https://www.lowdoc-loans.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1609f6ecba56b7---29077305708.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e5d1.bin` `ff2fdb1cb37b14b3e2c014fcef5518b17edecfa12fc8ab413b41562034622c55`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE5D1	5528 bytes
`font_01_sfnt_off0000f89f.bin` `b892989b2d00c90396f2cdc1c3ed2c1741d991706992656e3dd8cca5d206ed0b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF89F	11568 bytes
`font_02_sfnt_off00012044.bin` `f4009f2ab10274a2bf2a50b3fe385da40d2f3b148847796c112ae6fd8c6c8489`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12044	18224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.