PDF malware analysis — malicious · a3dfff759b314f91

MALICIOUS

PDF

85.4 KB Created: 2021-09-08 18:10:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 34e0c485235b25136963ec009b8d770f SHA-1: 0c89e6a79547a1b186f78e7214f7bbb9ffcbfc5f SHA-256: a3dfff759b314f91383939be77fefbe16709261e93bfaf67a6ad147f503677a0

204 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and numerous external links, many of which point to compromised WordPress sites or disposable hosting, suggesting a phishing or malware distribution attempt. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates the document likely instructs the user to open a password-protected archive, a common tactic to evade initial security scans. ClamAV detection further confirms its malicious nature.

Machine Learning

Nyx PDF Classifier malicious score 0.9977

Heuristics 8

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://jatyn.cn/upfiles/202109/file/1630732100.pdf
- http://nesthomes.in/userfiles/file/40126860944.pdf
- http://barbusci.it/maisUserFile/file/bogazunekuvazozumepalavuk.pdf
- https://globaldreamindia.com/webcms/file/31305276.pdf
- https://www.novet.de/wp-content/plugins/formcraft/file-upload/server/content/files/161302e0d989af---85458455176.pdf
- https://vjlabor.pitscovn.com/uploads/Upload/files/nugixala.pdf
- https://goldenlinejsc.com/userfiles/file/votobed.pdf
- http://globalone-mould.com/gbw/fckfiles/20210902094901.pdf
- http://sportingclubalbinia.eu/userfiles/files/tovumefugobinatupatuw.pdf
- https://mogilew.ru/userfiles/file/dulilizoropemosi.pdf
- https://dondepodemosir.com/userfiles/file/34479347295.pdf
- https://www.chauffeur-prive-nice.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1613425bef3d61---vijimor.pdf
- http://eaupureinternational.com/userfiles/file/44377385812.pdf
- http://luckyassessoria.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1612ff3b6ec4a5---gijanokawaxok.pdf
- http://teplospectr.ru/images/files/21442229810.pdf
- http://ardechetendancebrut.fr/userfiles/ardechetendancebrut.fr/file/34505636495.pdf
- https://eliteswimmingpoolsinc.com/wp-content/plugins/super-forms/uploads/php/files/pr7dt0u32so312a6hovt3h7ia4/48649630297.pdf
- https://htchninc.com/d/files/namejo.pdf
- http://xn--9d0b102a6wc3y4a.com/sa_upload/userfiles/file/20210902031658.pdf
- https://onsale.social-push.cc/data/fckeditor/files/47159715474.pdf
- http://wu-pao.com/upfiles/editor/files/5634883578.pdf
- http://iburgisidimarsala.eu/userfiles/files/40098168773.pdf
- http://due.pt/js/ckfinder/userfiles/files/77553960911.pdf
- https://feedproxy.google.com/~r/Uplcv/~3/LPIa9PGmDLg/uplcv?utm_term=marketing+digitale+libro+pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e6b1.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE6B1	16792 bytes
`font_01_sfnt_off0000fec8.bin` `b9207af00245cd66ac9f083cbff8094916a26910f2a4c37da861fc029e9d45cf`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFEC8	10728 bytes
`font_02_sfnt_off0001170d.bin` `06b6044e6405431ab800b549490170f057bbf65d71772b20847b8b4c981ba173`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1170D	18640 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.