PDF malware analysis — malicious · 8cd23b30078cb759

MALICIOUS

PDF

104.6 KB Created: 2021-06-26 22:30:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-23

MD5: 174964162924b1bd1de650fc52b157a4 SHA-1: ac4b7cbde39624e9ce9e529b0930a6601edf1a4f SHA-256: 8cd23b30078cb7598f3b943070b733ee6bda7e1f78b58d552c011291a2ee0992

164 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and a machine learning classifier. It contains numerous links, many pointing to compromised WordPress sites or disposable hosting, suggesting a link farm designed to host or redirect to malicious content. The presence of a 'download button' heuristic further supports a phishing or malware distribution lure. While no scripts were explicitly extracted, the overall structure and URL patterns are indicative of a phishing or malware delivery mechanism, likely involving exploitation of PDF vulnerabilities.

Machine Learning

Nyx PDF Classifier malicious score 0.9682

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://oniceh.ru/uplcv?utm_term=praise+and+worship+songs+2021 PDF link annotation
- https://sip7.pl/autoinstalator/sip7.online/wp-content/plugins/super-forms/uploads/php/files/9aaf37c1ff9e8fdad0e7a8656801a273/34296333445.pdfIn PDF document text
- http://predit.ru/admin/ckfinder/userfiles/files/73094714462.pdfIn PDF document text
- http://xn--e1aazeoc7d.xn--p1ai/images/shared/file/65540704047.pdfIn PDF document text
- https://finatwork.com/userfiles/file/fimojusegubixon.pdfIn PDF document text
- http://ipvoicenj.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f1866e28b8---vafux.pdfIn PDF document text
- https://refundsrefunds.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608896837b385---42882907794.pdfIn PDF document text
- http://www.reroofingbrisbaneqld.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160aaf61e19b97---9628394649.pdfIn PDF document text
- http://snookerfootball.eu/wp-content/plugins/formcraft/file-upload/server/content/files/160b62c70c7152---62961459046.pdfIn PDF document text
- http://cauthinh.com/luutru/files/10345080721.pdfIn PDF document text
- http://www.brennholz-heinlein.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607217b58b396---79701685101.pdfIn PDF document text
- http://www.insurancedirectcanada.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16087de5a37c3d---63207755943.pdfIn PDF document text
- http://imagespa.mx/wp-content/plugins/formcraft/file-upload/server/content/files/160a8558b090be---molikolegipuxarizijeret.pdfIn PDF document text
- https://www.cibaospalaser.com/wp-content/plugins/super-forms/uploads/php/files/4ismtbg5nutshkq6kpntvkpf4m/tuzokasiluravidizam.pdfIn PDF document text
- http://bogelaipigeon.com/upload/file/85573024204.pdfIn PDF document text
- http://hzdsbg.com/uploadfile/1621719918.pdfIn PDF document text
- http://www.advokat.com/app/webroot/img/fck/file/85047858027.pdfIn PDF document text
- http://guides2alpes.fr/uploads/file/joduwuzalasuvoza.pdfIn PDF document text
- http://standardamulet.com/files/files/82274294429.pdfIn PDF document text
- http://www.oschouston.com/osc/wp-content/plugins/formcraft/file-upload/server/content/files/16090fb2fc2d67---88972816484.pdfIn PDF document text
- https://ikitellirezistans.com/upload/files/11442419429.pdfIn PDF document text
- https://www.baileysmilk.com/wp-content/plugins/super-forms/uploads/php/files/72eb0bf26a19afd2c0abee90f43df438/boremagigadotova.pdfIn PDF document text
- https://ipcare.nl/wp-content/plugins/super-forms/uploads/php/files/g9bcqst64kvi4a0lpvf4ke5d9h/xutawivasesi.pdfIn PDF document text
- http://terapeutickemasaze.eu/wp-content/plugins/formcraft/file-upload/server/content/files/1606fba6372a89---komobixotika.pdfIn PDF document text
- http://www.jcca.co.in/wp-content/plugins/formcraft/file-upload/server/content/files/160c1c6f2cd8e7---dunujixarud.pdfIn PDF document text
- https://www.swissfillon.com/wp-content/plugins/super-forms/uploads/php/files/a3e7ceca9c73f19f78bb592d5b94eecb/gibox.pdfIn PDF document text
- http://bochosushi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606e2d959953e---kutudok.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00011ebd.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11EBD	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_01_sfnt_off000136ce.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x136CE	16144 bytes
SHA-256: `32a860289ed2df4afcdfffbe789e3f3b63dcad7d566662d07e8c33e4204d1767`
`font_02_sfnt_off00014c58.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x14C58	18096 bytes
SHA-256: `68a37879bb1f458fc315a8aa7ffbef37f07dd3734cd6cdaaee3bb0b526de2cf7`
`font_03_sfnt_off00017b95.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x17B95	10908 bytes
SHA-256: `922ed0ea511d6be23e842bc126de230ba21d1c83bb397a8890c0fdb600a3997a`

Open this report in the interactive analyzer, or submit your own file for analysis.