PDF malware analysis — malicious · 943a84bdc70e2f03

MALICIOUS

PDF

69.5 KB Created: 2021-09-27 09:08:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 1682f0fcce5c95409beab26d920e7259 SHA-1: 8472f0dab7bb52e32206b3548393b765ad744a0e SHA-256: 943a84bdc70e2f030a314febfb42d74ad81ac24069a2659bc2dffddfba8da3bc

164 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF file contains embedded JavaScript and a significant number of external links, many pointing to compromised websites or disposable hosting. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or to serve a second-stage payload. The embedded JavaScript, though not fully analyzed due to obfuscation, is a common vector for initiating malicious actions within PDFs.

Machine Learning

Nyx PDF Classifier malicious score 0.9951

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://catamma.ru/uplcv?utm_term=java+lang+nosuchmethoderror+java+lang+string+isempty
- https://pelicanfinancialnetwork.net/ckfinder/userfiles/files/1317144246.pdf
- http://canyonmeadows.org/userimages/difagiba.pdf
- http://exito-opakowania.pl/userfiles/file/10823327442.pdf
- https://penzion-palice.cz/content/tuzezizenaxovigatun.pdf
- https://futuresbuilder.net/dayafter/uploadimages/newsimages/file/75370815887.pdf
- http://www.sbawerribee.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1614bf695e8045---ziruwo.pdf
- http://dlshixiang.com.cn/ckfinder/userfiles/files/8134357661.pdf
- https://cremeconferences.com/wp-content/plugins/super-forms/uploads/php/files/eb7b80a5dd4c519f98599f076a96989f/14096428723.pdf
- https://amezdigital.com/wp-content/plugins/super-forms/uploads/php/files/18da410ffd984be5d99ae6593fc1f1d7/lupupuwap.pdf
- https://bisnismedsos.com/userfiles/file/nikaloxozizulifaxir.pdf
- https://zazilha.com.mx/wp-content/plugins/super-forms/uploads/php/files/c4eaa1d3dd7588984155a8d6463f65bb/77902834545.pdf
- http://f-okinawa.com/img/tmp/file/74963253201.pdf
- http://seghers.kr/data/editor/file/1054724010614b5a6da6b31.pdf
- https://vsetinrally.cz/userfiles/file/91832357626.pdf
- http://aktifimmo.lu/userfiles/files/63053575324.pdf
- http://rockhousemethod.com/ckfinder/userfiles/files/buguseduzux.pdf
- https://djennebeads.com/nbloom/fckuploads/file/63956531903.pdf
- http://achilleferolla.it/userfiles/files/87182669346.pdf
- http://presupuestos.pavysan-bigmat.es/ckfinder/userfiles/files/47825171440.pdf
- http://hunting.kg/userfiles/file/8179434252.pdf
- http://sictombbi.fr/ckfinder/userfiles/files/37704176626.pdf
- http://munnartourism.com/uploads/file/50253973629.pdf
- http://kurumakaitori-one.com/js/upload/files/94915994847.pdf
- http://viprealestatebrokers.com/userfiles/files/16799762416.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000afa2.bin` `395810d9dd7d8046592c9a73ce307fa2df0ad32009dd07f84ec2e52aa8412843`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAFA2	15172 bytes
`font_01_sfnt_off0000d5f1.bin` `992baaf2e4cc77d5bdaa9e550d3e6446c861b8bc6aa9d3e9136e06e661c664e2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD5F1	11364 bytes
`font_02_sfnt_off0000f050.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF050	16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.