PDF malware analysis — malicious · 8b3b50d6c4cc2f25

MALICIOUS

PDF

90.2 KB Created: 2021-07-23 19:15:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14

MD5: 41a139719da17050a4e43b4b51a86a2c SHA-1: 76d175ed0f64998b6f2acd41c6fed92a9e4d761b SHA-256: 8b3b50d6c4cc2f25684668bf28a6175553449dae1b77f107325acbbdeed8c5c9

224 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment

The sample is a PDF document containing embedded JavaScript, which is a common technique for delivering malicious content. Heuristics indicate the document acts as a link farm and contains a callback lure, suggesting a phishing or scam attempt. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or a trojan.

Machine Learning

Nyx PDF Classifier malicious score 0.9986

Heuristics 9

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://www.northwoodmedical.ca/wp-content/plugins/super-forms/uploads/php/files/2klglsc5j460ce8asspmp2duqp/65918663948.pdf In PDF document text
- http://lifeisartfoundation.org/sites/default/files/images/userfiles/file/85795456730.pdfIn PDF document text
- http://bangkoksolarpower.com/syner_upload/images/files/rovawetidolus.pdfIn PDF document text
- https://discoverapartmentsforrent.com/wp-content/plugins/super-forms/uploads/php/files/60566d50666c8df8256e073f7e4a1665/66977907011.pdfIn PDF document text
- https://tenfci.org/userfiles/file/derewiguxizuxukavidovaf.pdfIn PDF document text
- https://fullmagicweekend.com/ckfinder/userfiles/files/somojurapaxonebo.pdfIn PDF document text
- http://vdgairconditioning.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1607f75875a59d---lizaxivixenesudidodizakov.pdfIn PDF document text
- https://gtsonline.nl/wp-content/plugins/super-forms/uploads/php/files/2hbk5q4s63pfncmd02ru087gs4/45786213618.pdfIn PDF document text
- http://immodraft.nrw/images/architekten_agentur_images_/file/66109543375.pdfIn PDF document text
- https://www.wikiwebagency.it/wp-content/plugins/super-forms/uploads/php/files/870419b52496ea4c8da924ed1c8c49dc/79180321849.pdfIn PDF document text
- https://bhiringisamsankalimandir.org/ckfinder/userfiles/files/zibeko.pdfIn PDF document text
- https://www.18fire.com/wp-content/plugins/super-forms/uploads/php/files/41021a59f09d57196bf05af202994b48/ralaferozovax.pdfIn PDF document text
- http://espressobuilders.com/app/webroot/files/userfiles/files/garikuranejegejigugan.pdfIn PDF document text
- https://seroinstitute.com/wp-content/plugins/super-forms/uploads/php/files/9af84b299e82159ad7977c4a196d301e/71404429661.pdfIn PDF document text
- https://www.grecosalesinternational.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f5105006cf---xadukuwozimolafimuvolaso.pdfIn PDF document text
- http://plovdivweek.com/app/templates/js/ckfinder/userfiles/files/76681107835.pdfIn PDF document text
- http://lapawan15.com/shop/fck_file/file/79369568947.pdfIn PDF document text
- https://www.kunapak.com/wp-content/plugins/super-forms/uploads/php/files/2e1vq31dhn1s7g19gtol1st2gs/dozemurikofetubujifetim.pdfIn PDF document text
- http://savannahcentury.info/clients/4/44/449a5b3489ef279447e90cf6cdd72f1c/File/fiwukogipawa.pdfIn PDF document text
- http://www.putnamtaxi.net/wp-content/plugins/formcraft/file-upload/server/content/files/160b4c1d18a477---20571759739.pdfIn PDF document text
- http://videofilm-tv.ru/content/File/fijewiragevisigipigakiv.pdfIn PDF document text
- http://skyrunarser.com/js/fckeditor/editor/filemanager/connectors/php/connector.php/upfiles/file/210723064706238786ycs32m.pdfIn PDF document text
- https://impactcleaningserviceskc.com/wp-content/plugins/super-forms/uploads/php/files/e281b4fc4eff03e607aeae0db5149ff0/14817059994.pdfIn PDF document text
- http://immodraft.nrw/images/arIn macro / runtime command snippet
- https://feedproxy.google.com/~r/Uplcv/~3/3vuEKuznOb8/uplcv?utm_term=interactivity+with+javascript+coursera+week+2+assignmentPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f2d8.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF2D8	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_01_sfnt_off00010aea.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10AEA	19224 bytes
SHA-256: `4de44565046a4bd0f8c746a2f78f03065d6f80fd4dc3df3a731674b5328f0e62`
`font_02_sfnt_off00013cf3.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13CF3	11432 bytes
SHA-256: `09435bebae87e4e8a6a6e07569156dbde161b4892bd626735da2a1303fc898a6`

Open this report in the interactive analyzer, or submit your own file for analysis.