PDF malware analysis — malicious · 981df76b57e633f1

MALICIOUS

PDF

83.7 KB Created: 2021-09-18 02:28:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 209ca7fe44ab9c8fad7d7348c4a5f33b SHA-1: f225ba6136d8399af48b561d80275e6e2f6e0622 SHA-256: 981df76b57e633f1cead6c202ff2aaccac3743b5f785e0274ebe9ec6753137dc

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF document contains a link farm pointing to compromised WordPress sites and disposable hosting, suggesting a phishing or malware distribution lure. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or delivering a trojanized payload. Although no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a malicious document designed to trick users into downloading further malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.9974

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://chcial.ru/uplcv?utm_term=bs+grewal+44th+edition+pdf+free+download
- http://osteriailgalloelinnamorata.com/userfiles/files/fujijufiwiw.pdf
- http://xn--72c7caerxx0d3a9eve.com/UserFiles/File/mivedasekezud.pdf
- http://coomargroup.com/ckfinder/userfiles/files/jezogate.pdf
- https://www.acptechnologies.com/wp-content/plugins/formcraft/file-upload/server/content/files/161392c8d6c554---negekudima.pdf
- https://vokalensemble-vocembalo.ch/userfiles/file/verunifizavagiponibi.pdf
- http://stonepigments.com/userfiles/file/30574008200.pdf
- http://www.icareonline.net.au/ckfinder/icare/files/badoba.pdf
- http://ketphatthinh.vn/upload/files/logixasilamifemibo.pdf
- https://pabausa.org/wp-content/plugins/formcraft/file-upload/server/content/files/1613ff8436caf1---lukizogigefetuku.pdf
- https://nwdglobal.com/ckfinder/userfiles/files/betit.pdf
- https://thediamangroup.com/_images/files/muzudepub.pdf
- https://cambodiadriverservice.com/userfiles/file/walabekibuxifevakenap.pdf
- http://nutronicltd.com/userfiles/file/medexevanu.pdf
- http://kimyasaldubeller.com/upload/ckfinder/files/darosipax.pdf
- https://www.alugutader.fr/ckfinder/userfiles/files/fevigebipelakalimuf.pdf
- https://czus-lukasa.sk/userfiles/file/vinekunosategazexubebi.pdf
- http://copingconversations.com/userfiles/file/47071551264.pdf
- http://gf-location.fr/wp-content/plugins/formcraft/file-upload/server/content/files/16138abaed6852---kelaxipup.pdf
- https://ww150003.linebot.net/upfile/files/20210908182908.pdf
- http://szsahsh.com/uploads/files/14973781598.pdf
- https://asharfilalkulfi.com/ckfinder/userfiles/files/xugumovogo.pdf
- http://ratchadatitan.com/UserFiles/File/14665765997.pdf
- http://taiwan-casters.com/userfiles/file/biname.pdf
- https://aiaciran.org/cache/fck_files/file/poxukekovijunikaj.pdf
- http://www.veronicaneal.com/wp-content/plugins/formcraft/file-upload/server/content/files/1/1612e9934cf5ac---81919175358.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000dfd8.bin` `a809c0f69417951a76888b3ee1f39e77a0ce65ef657987303312fa72103c0178`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDFD8	18140 bytes
`font_01_sfnt_off00010f4a.bin` `666d0de8a8a891aa13e5358242a066d19cb94c9fa1145223d837c7216032e61c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10F4A	10992 bytes
`font_02_sfnt_off000128a9.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x128A9	16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.