PDF malware analysis — malicious · a87bd4bc41354312

MALICIOUS

PDF

90.1 KB Created: 2021-08-24 22:53:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27

MD5: 1e5bb2be07db5a60a5ba9bca90daf5bc SHA-1: 8c645a38465ae5e84b496c18579b8985f64cd4bd SHA-256: a87bd4bc41354312cc7c0bf8cea9e6c3ff7e102d1d407225fa4819e8860e26e8

204 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by a machine learning classifier and ClamAV as malicious. The document contains a 'clipboard command execution lure', instructing the user to copy and paste content into a shell, which is a common technique for downloading and executing secondary payloads. Several URLs pointing to compromised CMS upload directories and disposable hosting were also extracted, suggesting a phishing or malware distribution attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9932

Heuristics 8

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE

Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ellev.fr/upload/files/2864294362.pdf In PDF document text
- http://www.aqsclimited.com/EditorImages/file/9310306075.pdfIn PDF document text
- http://dienmattroigiasi.com/uploads/files/51818078793.pdfIn PDF document text
- https://rfcorporation.net/wp-content/plugins/super-forms/uploads/php/files/8b035b086fd555b9f78df5159a9b6460/rinipixakonikuvamum.pdfIn PDF document text
- https://unique.global/wp-content/plugins/super-forms/uploads/php/files/03ad1d7a885cf02f3f3e392a15606b95/gufimugupixefinadome.pdfIn PDF document text
- http://coumert.com/images/file/kugasajem.pdfIn PDF document text
- https://hotelristorantenovecento.it/wp-content/plugins/super-forms/uploads/php/files/6024e6bff5366aae87ae99dfdd82fef0/selekopanowujudekojum.pdfIn PDF document text
- http://aberdeeneyes.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1608a8f0201554---41867160803.pdfIn PDF document text
- http://socialbomjesus.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/160982e0b2f31f---62267648167.pdfIn PDF document text
- http://www.fliesen-brill.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607a00d3f08fb---motifumogikekudurax.pdfIn PDF document text
- http://fd-health.com/upload/ckeditor/files/vasebazekobutijalo.pdfIn PDF document text
- https://vinisfarm.com/wp-content/plugins/super-forms/uploads/php/files/778f466700ea4b873c4493f80e55f2de/sesaxefimefixu.pdfIn PDF document text
- http://mixmarketing.vn/upload/fck/file/voperexajizosolobab.pdfIn PDF document text
- https://audit-advisers.com/userfiles/file/33268165048.pdfIn PDF document text
- https://patriot.ch/wp-content/plugins/super-forms/uploads/php/files/5ebh4onrj59o3kb04t6n9cjqm0/50697232023.pdfIn PDF document text
- http://ohana1bbq.com/uploads/files/fimokekov.pdfIn PDF document text
- https://md-bud.pl/szklo/photos/file/togotuvijomis.pdfIn PDF document text
- http://historia-bfured.hu/userfiles/file/67005567843.pdfIn PDF document text
- http://graphicon.hu/wp-content/plugins/formcraft/file-upload/server/content/files/160815b97d72cd---24685970522.pdfIn PDF document text
- https://drbumbnursinghome.in/ckfinder/userfiles/files/malerikedegigosi.pdfIn PDF document text
- https://dfa-finanz.de/wp-content/plugins/formcraft/file-upload/server/content/files/160ac30c6a9f9d---mepotuzajibosiw.pdfIn PDF document text
- https://minutesnap.com/wp-content/plugins/super-forms/uploads/php/files/1940b4af50db8ddb80efb945203b542a/nulijefif.pdfIn PDF document text
- http://stroisvias.ru/userfiles/file/ziselisowulijepexupa.pdfIn PDF document text
- http://mppscstudy.com/admin/usercontent/file/zarugesefekonoxotunusufas.pdfIn PDF document text
- https://kuechentreff-schmid.de/wp-content/plugins/super-forms/uploads/php/files/nr2r4afjvrkikcvlplrs458d82/zomuwazamolavojorevosaf.pdfIn PDF document text
- http://onlinemidias.com/ckfinder/userfiles/files/kevemuzijikoxemutizatub.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/S30rS-6n6vg/uplcv?utm_term=oracle+advanced+collectionPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000fe2a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFE2A	10288 bytes
SHA-256: `d2a1cc4927bddd01800a83c063199129df46b2961a2b235e00d7185030d08cba`
`font_01_sfnt_off00011578.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11578	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_02_sfnt_off00012d8a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12D8A	17048 bytes
SHA-256: `ba99904902f719b9fcd05079903ebc81b25c97f3f4009defe034428e7fecb996`

Open this report in the interactive analyzer, or submit your own file for analysis.