PDF malware analysis — malicious · a8372d70e506bbdc

MALICIOUS

PDF

90.2 KB Created: 2021-09-07 07:16:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11

MD5: 7da44d8dff30e82f59f80be347faf98d SHA-1: 9a191cbd2df4f8d599f615df50f412d11a94f6e9 SHA-256: a8372d70e506bbdcbe60730f7c5ee65780605dc40e76a152077e7a1c08f963f9

124 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with a 'Pdf.Phishing.Trojan' signature, indicating a phishing intent. It contains numerous URLs pointing to compromised WordPress sites and disposable hosting, suggesting it functions as a link farm to distribute further malicious content. The presence of embedded JavaScript, though not fully analyzed due to obfuscation, likely facilitates the redirection or download of a second-stage payload.

Machine Learning

Nyx PDF Classifier suspicious score 0.4623

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://philabc.ru/uplcv?utm_term=ankle+mobility+exercises+pdf PDF link annotation
- https://autosofortkauf.ch/wp-content/plugins/super-forms/uploads/php/files/b6lsvgamjshu12j9sp04va7ki1/17780384978.pdfIn PDF document text
- https://flyingfish-stay.com/userfiles/file/19918913422.pdfIn PDF document text
- http://calhi1977.com/clients/879053/File/jutemudufuxaxazudejilom.pdfIn PDF document text
- http://www.europesolidaire.eu/userfiles/files/xorudimemofolupofasizinox.pdfIn PDF document text
- http://axi-hohenstein.de/userfiles/file/49763247229.pdfIn PDF document text
- https://popcouncilinstitute.org/wp-content/plugins/super-forms/uploads/php/files/2b64d187cb57a45b53f3dafe1de6787d/pezirometapina.pdfIn PDF document text
- https://www.idahomedia.com/wp-content/plugins/super-forms/uploads/php/files/db343ebee64faa2e4c02ba5da86ccba9/8368854717.pdfIn PDF document text
- http://studio-orlandini.com/userfiles/files/tezixaniburasironaxobe.pdfIn PDF document text
- https://mttrasportisrl.it/dati/upload/file/sudimoruxobelumarejas.pdfIn PDF document text
- https://danielfelber.ch/userfiles/file/20636456419.pdfIn PDF document text
- https://leganordavigliana.it/uploads/file/wovibisij.pdfIn PDF document text
- https://www.elektrobetrieb-scholz.de/wp-content/plugins/formcraft/file-upload/server/content/files/1606c960f6e0cc---8708791875.pdfIn PDF document text
- https://clickkedai.com/userfiles/file/76716287492.pdfIn PDF document text
- https://lesfeesdelhetre.fr/upload/files/wuzofawinevuxinafuloxej.pdfIn PDF document text
- https://roweryelectra.pl/app/webroot/uploads/file/16265327005552.pdfIn PDF document text
- http://abwcockeysville.com/uploads/files/26733538164.pdfIn PDF document text
- http://trackeg.com/en/wp-content/plugins/formcraft/file-upload/server/content/files/160aa6d0c994a0---gapamoda.pdfIn PDF document text
- https://phunhai.net/upload/files/vabifejutupekezezixi.pdfIn PDF document text
- http://mgtofubbq.com/uploads/files/76626125198.pdfIn PDF document text
- https://mkontakt.pl/dat/file/kirujewagoxerovibonu.pdfIn PDF document text
- https://berettyotv.hu/userfiles/files/72496688824.pdfIn PDF document text
- http://agro-norwa.pl/userfiles/file/lilerepozawegubeju.pdfIn PDF document text
- https://klcmekatronik.com/ckfinder/userfiles/files/rirepaza.pdfIn PDF document text
- http://erkerlaender.de/wp-content/plugins/formcraft/file-upload/server/content/files/160a501f82c3b2---xivudasabibawanimenenati.pdfIn PDF document text
- http://jockmurray.com/wp-content/plugins/formcraft/file-upload/server/content/files/16107866027a86---44863653033.pdfIn PDF document text
- https://stefandes.com/wp-content/plugins/formcraft/file-upload/server/content/files/16094b41a74538---xisilasovazidabeba.pdfIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00012609.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12609	11048 bytes
SHA-256: `1017162dd104a51ad7a20d67f940c076e4908730ed3d3fb2328154f6e64177ee`
`font_01_sfnt_off00013f8d.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13F8D	18844 bytes
SHA-256: `15d2a74d85de97b9d509a8ee84117e65d1d623f778992d8782279e7ff800f8d3`

Open this report in the interactive analyzer, or submit your own file for analysis.