PDF malware analysis — malicious · 895cdbe7d714190a

MALICIOUS

PDF

85.6 KB Created: 2021-07-18 03:29:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11

MD5: 1d29e89573fb5774af4452acc11caf9d SHA-1: cafd9c3988366d62bc737db3a1452e1b51a64701 SHA-256: 895cdbe7d714190a6bbb68ae5846b14acda5f82732303b93290a3707c4d82c1e

124 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file was detected by ClamAV as Pdf.Phishing.Trojan. It contains numerous embedded URLs that point to compromised WordPress sites, forming a link farm. These links likely serve to redirect the user to malicious content or phishing pages, a common tactic for initial access via spearphishing attachments.

Machine Learning

Nyx PDF Classifier suspicious score 0.3778

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://rethabise.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160b11543dec22---lurukefomulutunovisa.pdf In PDF document text
- https://nowackleverkusen.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607b9c63ed3af---gofebakodin.pdfIn PDF document text
- https://aslplastic.com/ckfinder/userfiles/files/24262800717.pdfIn PDF document text
- http://brilliantsolarpaneling.com/userfiles/file/56696042040.pdfIn PDF document text
- https://sygimportaciones.com/wp-content/plugins/super-forms/uploads/php/files/ufg5cj2qlbo5v7d94aj5cf6fl7/26492323495.pdfIn PDF document text
- http://xn--80aafbkbafwdti1ahihccrg.xn--p1ai/pict/file/nanugesar.pdfIn PDF document text
- https://ipcare.nl/wp-content/plugins/super-forms/uploads/php/files/ra9ba59bplvvmasbbjq1bgkr2g/gutoxeg.pdfIn PDF document text
- http://unipsyclinic.com/userfiles/file/20210517045341.pdfIn PDF document text
- http://nessium.net/userfiles/file/83961744065.pdfIn PDF document text
- http://cz-synergy.cz/data/file/xutuwaza.pdfIn PDF document text
- http://argra.rs/wp-content/plugins/formcraft/file-upload/server/content/files/1606c83843a605---rumurugijizidedoje.pdfIn PDF document text
- http://profisystem.ro/wp-content/plugins/formcraft/file-upload/server/content/files/16094a67366c82---7288887257.pdfIn PDF document text
- https://africanresearchcenter.com/userfiles/file/24040097817.pdfIn PDF document text
- http://mientaytourist.com/uploads/files/givizoruxiwi.pdfIn PDF document text
- http://bdn10.cz/files/file/40999922485.pdfIn PDF document text
- https://fietenhaardenenkachels.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1608277889f731---kuzebasifikixitaboxom.pdfIn PDF document text
- https://studio-september.com/wp-content/plugins/super-forms/uploads/php/files/3dda773e1f582b786a3f500285c458db/revivigipatudavodep.pdfIn PDF document text
- https://sandalyecenneti.com/wp-content/plugins/super-forms/uploads/php/files/kaulhhmbqsrt33ufqbsuntqqvi/duxudituk.pdfIn PDF document text
- https://husvagnsexpo.se/wp-content/plugins/formcraft/file-upload/server/content/files/160d65bc85f63b---25362054391.pdfIn PDF document text
- http://color-gateway.com/userfiles/file/ruvigizidilosuwewu.pdfIn PDF document text
- http://geteffective.biz/uploadfiles/file/sexejejubepu.pdfIn PDF document text
- http://sinara.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/160b9f6c9d614d---dunatosexiwawonixejos.pdfIn PDF document text
- http://www.commandinglife.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607310a9ab2b2---ledazipomipanek.pdfIn PDF document text
- https://gmonlinestore.com/wp-content/plugins/formcraft/file-upload/server/content/files/16073d3638f25e---komasaxorafe.pdfIn PDF document text
- https://feedproxy.google.com/~r/skout/mBVl/~3/S30rS-6n6vg/uplcv?utm_term=three+digit+addition+and+subtractionPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00010014.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10014	10804 bytes
SHA-256: `f8450966f782ecd7f48f739b990de39e96ecbc456bc753d8296d26993c07a988`
`font_01_sfnt_off000118b9.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x118B9	16960 bytes
SHA-256: `8ae7a83f27fd1504a0e37e6ec97300d371b64b9f0c9cb04ca3f336886da078cc`

Open this report in the interactive analyzer, or submit your own file for analysis.