PDF malware analysis — malicious · a23ecee569bca3ad

MALICIOUS

PDF

89.3 KB Created: 2021-07-04 00:47:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-13

MD5: bf2cf6a8488d89b56c6e4951943adc00 SHA-1: 9e0d8c7b53896d70e4dafd48795644fe0fc48342 SHA-256: a23ecee569bca3adb201e65d8752d85d1f3281e19dc7cfc0bd8d5bbf1ddbc634

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was identified as malicious by ClamAV and an ML classifier. It functions as a link farm, containing numerous URLs pointing to compromised WordPress sites. These links likely serve as a distribution mechanism for further malicious content or phishing attempts, aligning with the characteristics of a spearphishing attachment. No scripts were extracted, but the PDF structure itself facilitates redirection.

Machine Learning

Nyx PDF Classifier malicious score 0.9835

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://evg-prague.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160a0bed32147b---8809570145.pdf In PDF document text
- https://ncfouting.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a703a8638bf---fadufiwotepaf.pdfIn PDF document text
- https://rffsev.ru/wp-content/plugins/super-forms/uploads/php/files/f28ed30fcaeaf002fe962779b93ae983/7415874635.pdfIn PDF document text
- https://aldea.work/wp-content/plugins/super-forms/uploads/php/files/0f862a6df56bb45593dd8dca25aefa41/fajolusa.pdfIn PDF document text
- http://monroehighwildcats.com/clients/40160/File/tefivelevizuzabufuzelan.pdfIn PDF document text
- http://www.veronicaneal.com/wp-content/plugins/formcraft/file-upload/server/content/files/1/160aaa8f9f334e---tazasesebagamadojew.pdfIn PDF document text
- https://dfa-finanz.de/wp-content/plugins/formcraft/file-upload/server/content/files/160701e6d3f369---31313701254.pdfIn PDF document text
- http://totalfinance.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16099e4cb27cb8---wafipu.pdfIn PDF document text
- https://amagi.la/wp-content/plugins/formcraft/file-upload/server/content/files/160863da3da3f4---finuxakape.pdfIn PDF document text
- http://argra.rs/wp-content/plugins/formcraft/file-upload/server/content/files/16078a6cdbced7---wetadefunosufuw.pdfIn PDF document text
- https://howardsteeves.com/wp-content/plugins/super-forms/uploads/php/files/eeb859faaa94694e266a4b4737875007/kavevelajivovat.pdfIn PDF document text
- https://www.hotwaterfactory.com.au/wp-content/plugins/super-forms/uploads/php/files/788d62fd2cb3929356b86f436c85eb6c/jarifezisokibuwelabinare.pdfIn PDF document text
- https://southtours.com/wp-content/plugins/super-forms/uploads/php/files/rr2ndk8jqrd7bet60su7ptqd32/12202106575.pdfIn PDF document text
- http://maytinhtuyenquang.com/home/maytinhtuy/domains/maytinhtuyenquang.com/public_html/images/file/wegigew.pdfIn PDF document text
- https://accuratesearch.com/userfiles/file/jilokuxopobew.pdfIn PDF document text
- http://sazjah.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607cdd2254dc8---pamogi.pdfIn PDF document text
- https://www.finestkindcharter.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607daf5e86b12---2787941870.pdfIn PDF document text
- https://salubrismd.com/wp-content/plugins/super-forms/uploads/php/files/6fe4c54d3b437e6b3d0e3b2908e8652c/dufoz.pdfIn PDF document text
- http://english-life.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160789b6e6583b---refas.pdfIn PDF document text
- https://interesttour.com/wp-content/plugins/super-forms/uploads/php/files/aef5412c8c8c485ea88410ea475e7a5f/wisemaridagixipajix.pdfIn PDF document text
- https://grandhotelbulgaria.com/userfiles/file/bilakivujuwutew.pdfIn PDF document text
- https://pointsourcegroup.com/wp-content/plugins/super-forms/uploads/php/files/daf88d717ef98339fc3219d4bc574f1a/lixijuzakulesusoxovuro.pdfIn PDF document text
- https://tehnol.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160729e758974c---wunasekepilisova.pdfIn PDF document text
- https://k-kompany.ru/wp-content/plugins/super-forms/uploads/php/files/b71e3d4427d866ba99f5702991c3a71f/79572640684.pdfIn PDF document text
- http://www.hangmandigital.com/files/file/33104100123.pdfIn PDF document text
- https://www.frontierexim.com/wp-content/plugins/super-forms/uploads/php/files/u9csc97449vrsie5df5ge9ihie/xisiximumifuxetilunepi.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/A3Ryygt5BCM/uplcv?utm_term=candy+stripers+hospital+volunteersPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f8c3.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF8C3	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_01_sfnt_off000110d5.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x110D5	17624 bytes
SHA-256: `3c607638728de78b690534e7dfef958b85f5c0d4ee7c1cdd60a75f4d4896bea4`
`font_02_sfnt_off00013efe.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13EFE	10800 bytes
SHA-256: `23ce3418102ab2c129f7a960897588f01958a69d1ee1ef4ac547088c6b45a17a`

Open this report in the interactive analyzer, or submit your own file for analysis.