MALICIOUS
274
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The PDF contains embedded JavaScript that likely attempts to download and execute a second-stage payload, as indicated by the 'PDF_EMBEDDED_SCRIPT_PAYLOAD' heuristic and ClamAV detection. The document also features a link farm pointing to compromised CMS uploads, suggesting a phishing or malware distribution lure. The presence of a Google feedproxy URL with 'powershell convert base64 to pdf' in the query parameters further suggests a malicious intent related to payload delivery.
Machine Learning
- Nyx PDF Classifier malicious score 0.7964
Heuristics 7
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
-
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARMPDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
-
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARMSmall PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.benvenutialmare.com/wp-content/plugins/formcraft/file-upload/server/content/files/160803b91b9424---toxig.pdf In PDF document text
- https://www.keystonecare.co.uk/wp-content/plugins/super-forms/uploads/php/files/7c4a9ea7a8655a853a9cf8a1f85ea92f/ganipoj.pdfIn PDF document text
- https://mytalk7.com/_UploadFile/Images/file/57850839138.pdfIn PDF document text
- http://www.k-24.com/wp-content/plugins/formcraft/file-upload/server/content/files/16070a3537a289---regutirakepevesa.pdfIn PDF document text
- http://tw-go.org/files/93898108953.pdfIn PDF document text
- http://makesomenoise.hu/upload/file/welejatopoxese.pdfIn PDF document text
- http://ikkosushi.com/uploads/files/90978610111.pdfIn PDF document text
- http://enerkonelektrik.com/ckfinder/userfiles/files/sivuvunodokirebugeben.pdfIn PDF document text
- http://www.telsercom.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608415159cfc4---42152933684.pdfIn PDF document text
- http://dchs80.com/clients/c/cb/cbc185099defa3274d3d4f74835fd64f/File/88217395250.pdfIn PDF document text
- https://www.reparaciondebomba.com.ar/wp-content/plugins/super-forms/uploads/php/files/k3ii0sfjp70sjaglcg826aikc0/kosujomaxozako.pdfIn PDF document text
- https://sharidendesignasphalt.com/wp-content/plugins/super-forms/uploads/php/files/d71ce8e6d278cabee7654c45a1ccf8da/vegerol.pdfIn PDF document text
- https://www.sussexweddingservices.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160d019ca04710---71631325510.pdfIn PDF document text
- https://ph2020.org/ckfinder/userfiles/files/47244741304.pdfIn PDF document text
- https://churchosonline.com/wp-content/plugins/super-forms/uploads/php/files/b2e653144a68ed8f9d77da543617386e/69172837446.pdfIn PDF document text
- http://pahsclassof2005.com/clients/d/d6/d61c4c031b0f3af13d3e88110ef3a3e1/File/77790036872.pdfIn PDF document text
- http://www.verneteco.com/ckfinder/userfiles/files/21587281255.pdfIn PDF document text
- http://huiking.cn/uploads/file/200815464624.pdfIn PDF document text
- https://yellowstonewildlife.com/tinewogokuvetakobaju.pdfIn PDF document text
- https://idea-web.ro/app/webroot/files/userfiles/files/rexubabalurirogeju.pdfIn PDF document text
- http://yi-xiang-yuan.com/CKEdit/upload/files/kegukuvemizamulutizivad.pdfIn PDF document text
- http://szolnokepul.hu/userfiles/file/40323282587.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/YTWXjIUwRh0/uplcv?utm_term=powershell+convert+base64+to+pdfPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_pdf_script_0000897c.bin |
pdf-embedded-script | PDF decompressed stream script payload at offset 0x897C | 65534 bytes |
SHA-256: fa14cb5057a50bb19d4a234788f69fd0c23eef4ba1777a6c9eb8ea8b0fee636d |
|||
|
Detection
ClamAV:
Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Obfuscation or payload:
likely
Carved artifact contains 1 shell/COM execution token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
%PDF-1.4
%âã
1 0 obj
<<
/Title ()
/Creator (�� w k h t m l t o p d f 0 . 1 2 . 5)
/Producer (�� Q t 5 . 1 1 . 3)
/CreationDate (D:20210906225044+03'00')
>>
endobj
2 0 obj
<<
/Type /Catalog
/Pages 3 0 R
>>
endobj
4 0 obj
<<
/Type /ExtGState
/SA true
/SM 0.02
/ca 1.0
/CA 1.0
/AIS false
/SMask /None>>
endobj
5 0 obj
[/Pattern /DeviceRGB]
endobj
7 0 obj
<<
/Type /XObject
/Subtype /Image
/Width 625
/Height 155
/BitsPerComponent 8
/ColorSpace /DeviceRGB
/Length 8 0 R
/Filter /DCTDecode
>>
stream
���� JFIF d d �� C
�� C �� � q " ��
�� � } !1A Qa "q 2��� #B�� R��$3br�
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz���������������������������������������������������������������������������
�� � w !1 AQ aq "2� B���� #3R� br�
$4�%� &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz�������������������������������������������������������������������������� ? ���σ ������Oy%�7� �R8 >ь �����5�� |? ��O����� � r������M�<�W�{ l�S)a��$n����t�� H�/ >NI�>�ϧ^ `j�G;v���� ��]�u� xk�}�ybA��D�'��{����<9 �4����q(o���\�];���0�# � :G�� k` ��H��~ 0> �rG`�$�� � ���� �� .� V�^3� �~���" ʦ Hwex'�3� � >�� � � ��� �ב2r�����~'8� �6d*4��� �\p:�w?Q��� ��䮝�� ��L � ǻ����M2�� T�`Xcp�8��X�%$� � ��� �d��Bo�%/��6~ �tn͆ � �{�O
�� Q��~ �7�JD�nl�JF��?{���s]D� 6N�� I��A<� /��2 ��wV� :� Q���� �ݿ?���ο��
�]��T o��̪ �f�)�| ��[��� � ��þ~l�5�C�N~Pv�' y� 8�h -��� � ��C�E����sQ�!��K�=8�a��h��� 7�暿 �> 7]< ���ģ 0~�����I �rX+q�� �c�5 &B r� q��G�ޅ�R�� ��n���8> xn�3�9v9 [� � ��ANo� �?� /�2 � $� �\V��K$�\)p� Q� � q�c=*p ��.�7N;�t5f:u ������ �9 4�[�'�ӯ��� �J� �4�Aә y��� �U�� i@. nX�A �ߡ��*E F zz� �P��7�-i�
����� ����Ɇ � I�s����� �K?�� Λ �� ��u& �?'ۧ�] ���� ͵��?� �=�E����wp 9Ͽ�O ��v��NMr=W���sP� ��0a�!gPIY�� �q��A�k�{pt�9 �� ݫ��WxL � O#���L�8�`�~߅/B�) �_ |2w�Ә+ 73s�������� |8@a`�rG�q)$g ���]3 Y�p�h����� �zF`���:s�y����h ��̧��
4Q��:� ��� �Ln�� $�3�<n~���W+q.W��[ �ӊ��; |�
�}��s� �SV ���z � ��u�� ?
k�/n_����� � �9;a��
A$y�� �o���
�o��� �� M�<�� ��s�_��I,�H[�^� ��� ��
ϙ�H� �9����f�
ɻ����9��?�� �t��� �� �?w���{��4�| ���� ��8ɞN ��o� W5�.<�²�� v� #'=:u#��� �.һ�N{�_�
2�����?S�O�� �O7�<� B�q(� \
�pq� �A�m�L!�d :V� s����H L�A� :q�=: �C�f�� F�pw t瞃����(�*�o���� ���a ex���<�o�5> �m&?�-RA /�/ ڮ� 1�ؙC���*� �����ۨ���@(ǐ �O���-�)I��﮿ס�'�o �
nӆ� !�P8䏟�s����9~ xm�� �yPx n%#h��w}}���Q#��88� �� /6�9�: w�{� *n�ǟg��� H��� 3� ��I���rsѽy�ԭ����7iˌ 1s(�>�lu ��t
)�1�"� ���S�8��@�� ��9�V +�������5}Ɍ�� O?��0 �� .���%H h��������'�G�6�t� ��D�/�=��c�]I ���!y��w���H U �� ����Зr���]�j_�� |�L� �4�q�� �\����|<��� �������� {��WJ�+�#w�8 ����i�VT P�NA��� ^�Q��3�� �7��1����>eC,�'����G�* H� NS�� j� ���� ��v�!���� '�I 1���;���I�I 9� � �A��qN�(�<�n_�� �.���У�[MǷ��n��H> xvK��bZE�[�R������ &�`� �>P # �=?
R 0G\d �9��ئ��4���� s�? �5����d~ �YA����MO�~ WR4�6�̿��c � l{��������� �9�6"C��;�A�� � Jh�k�S�? �7"� =~` ����͟_N�G�à��i范� h�� ����? �d��^ T� ��ZU"6 /�Á� {� Z, �������� �[���es���� ;��H� <9��� 6� �\�_��?�P��!; �NFFA�O�@ܟ6 nI 䞔\�6�9v�?�� 5����L��cw_�*| ��e ��)�[̔c��7{
� �p +6 c��s������j ��q�8� J6 �w_3�� �I�� ~� ���)a� ��&�� �u +�;8�� ��|�?>���S�� F ���T� �� � 1 t��� ����r���a� xh� �7q�f� � ���t�~ xz0q���?3\K�x ��#��tH :�+�H ���JT � '��O���9Q� �2 �� � ��F����o��� � �m�ۉF�w_��t�F aH��1��� J � �{�Q�� W�N�L���?�ª�c�#!#mę'����Ҟ� <; J�O��? ( ��g �+�� �@f �e���<� �� � D �N `� : *<��O�������Ó* ��
>P�2``������ <: ��#kc�U�������H��d��
N I���V;q± 0q��zVEsO�O��� �~ ��#Mts� �a� |0���یS����P�:q 9ȞQ߷�q�<u���ٲI� q��� ֕� � �@=��t��Z;�s�? <<��4Ӝ ��a�� � <v#��*� �뺰ӊK���˕��� �t� �@�%�� d z �N l` p p:���z w����'/�
k�o��k @ L1���_��i��#��a��[ hY�I� � ����4@9�S�?1�� �F>l( В=� O�@W��?#�o� ����na�3�Kq��?�Mo�� f��y �^=���t�&
�� ��I ����-�Xw�)$[�wk����;�( O ������:��L���!�=��e�ӗl�)��`?��d�H� 1��QB�� $���'���P�?)�lR�|�n�� bx�n�w�[w����sI�c�qŷ�9�` ?i��8 w��> �rXC =d @1q,����z *��P� N `|�����( �{r@ NI� �����tz�t�lr����<
... (truncated)
|
|||
font_00_sfnt_off0000ca09.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xCA09 | 16792 bytes |
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.