PDF malware analysis — malicious · 9b092ace1aa29cc1

MALICIOUS

PDF

90.0 KB Created: 2021-06-04 05:00:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: f32b7e7bcf41aac377a25246495146bf SHA-1: 34bcdd76aa5f6c04a844e0d7d59012644e7d72b2 SHA-256: 9b092ace1aa29cc163848c84c7f6c5d80b8e9ae2d51955368122e98ea9a499e0

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous links to compromised WordPress sites and other domains, suggesting it functions as a link farm to distribute further malicious content or phish for information. The presence of embedded URLs and the nature of the heuristics point towards a phishing or malware distribution campaign.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.lbf-cosmetics.com/website/wp-content/plugins/formcraft/file-upload/server/content/files/1606f39ed46637---94137460368.pdf
- http://aweibel.com/Photo/file/6384572810.pdf
- https://olmitek.by/wp-content/plugins/super-forms/uploads/php/files/o2f3bcndu1irrr54b6g62npq01/35659041814.pdf
- http://edwardfmcgintypa.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/10871708974.pdf
- https://popcouncilinstitute.org/wp-content/plugins/super-forms/uploads/php/files/ce76c7e879ec1eca48fad32545462982/67450385170.pdf
- http://www.urbanwaterways.info/files/sizasexibiguvipuf.pdf
- http://glenbrooksouth1970.com/clients/1/17/17fc1bd13d5538a69f39d58c869d2fc5/File/34563543997.pdf
- https://thejinglelab.com/wp-content/plugins/super-forms/uploads/php/files/rc76vcj58m1mk2ncbuo662rbb3/rokajapasopokanebogok.pdf
- https://howardsteeves.com/wp-content/plugins/super-forms/uploads/php/files/45e7744b4ed63ae29857ff785e10094d/88105450144.pdf
- https://senhewood.com/d/files/bejijikawod.pdf
- http://www.agrosystem.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1606fbfc70cfbf---49355134882.pdf
- http://pileshoppen.dk/userfiles/file/ralifar.pdf
- https://www.kiteschule-kiel.de/wp-content/plugins/formcraft/file-upload/server/content/files/16083c6ef9bbe8---8475946349.pdf
- http://www.unidacardoso.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16079ef3e32836---dibinawimasaju.pdf
- https://alatheir.com/atheirwsfiles/file/baxevazobubo.pdf
- https://masterok-kovka.ru/wp-content/plugins/super-forms/uploads/php/files/59fa46a3b4600420cf802116cf5a181c/51904953264.pdf
- http://viaterrestre.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160896e04a5467---22297104519.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://feedproxy.google.com/~r/skout/mBVl/~3/GLLx1DTH0VQ/uplcv?utm_term=electromagnetic+induction+worksheet+with+answers+pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0001034b.bin` `2a1f9b554916025272fadceda6d368615e3b19edbf3bf03f487231f0615841c8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1034B	5680 bytes
`font_01_sfnt_off0001168a.bin` `a0a7d67fe4f87802403343959334887322a14e8992ada30440343c4e7e966f2d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1168A	14332 bytes
`font_02_sfnt_off000144fd.bin` `74a35dcac671789a1952909c7064e8f0092ccf84988030a41650584fa1b75142`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x144FD	16192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.