PDF malware analysis — malicious · a9f723fae3c62104

MALICIOUS

PDF

88.3 KB Created: 2021-06-26 09:27:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: d83a9397e12d88a23e97c2e34366d5b3 SHA-1: 6338b134ca8daed587b53ef29cd5a7c9670f08eb SHA-256: a9f723fae3c62104567b5ce97dfe492ef3317ea9fcbe9f96996ac9d5ce0fb9ef

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF was flagged by multiple heuristics as malicious, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. The file functions as a link farm, containing numerous URLs pointing to compromised WordPress upload storage and disposable hosting. These links likely serve as a lure to direct users to phishing sites or download further malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.9961

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://cgpreceptor.com/ckfinder/userfiles/files/87824508768.pdf
- http://autodilykanka.cz/cmsimple/images/file/muxodevepuxagemizometa.pdf
- https://kicksomeglass.com/wp-content/plugins/super-forms/uploads/php/files/7d2e725a5f6e66d6428403e0444e5782/19440724682.pdf
- https://afanasyev-design.ru/wp-content/plugins/super-forms/uploads/php/files/6a10f3d05fbe7264b6848bde02970d4b/wekitigevipize.pdf
- https://dezsredstvompx.ru/wp-content/plugins/super-forms/uploads/php/files/56e83a366a195a7cbd3f34132342199f/50551202400.pdf
- http://viermaalh.nl/Bottesteyn/Site/afbeeldingen/file/tizerinovimoluj.pdf
- http://illinoislivestock.org/userfiles/file/9415685711.pdf
- http://xperion.hu/wp-content/plugins/super-forms/uploads/php/files/34488e416052a6f574e5806dcd1df199/64727954809.pdf
- http://se-ty.ru/uploads/userfiles/file/zutunodujufo.pdf
- http://neurooperations.com/ckfinder/userfiles/files/vifenatek.pdf
- https://amd-export.com/site/upload/file/33575884342.pdf
- http://discarga.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609f81644d3e8---90629099851.pdf
- http://www.hkqi.com/wp-content/plugins/formcraft/file-upload/server/content/files/16091d916c17e7---nidirumipajerinugudat.pdf
- https://k-kompany.ru/wp-content/plugins/super-forms/uploads/php/files/07e78928e56399a8636c614effb6c7f8/pugomojenukiz.pdf
- http://vtracauto.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c2ad30123cb---20067343150.pdf
- http://allprintusa.com/admin/images/file/doxebewasoriguzanuvugaw.pdf
- http://greenld.com/userfiles/rakujo.pdf
- https://agentcctv.com/userfiles/file/dineritivifuvisexide.pdf
- https://razvozka24.ru/wp-content/plugins/super-forms/uploads/php/files/1edeb06e1f12ea7dbdd3dfa9869798ad/nuropofatuwuboketojar.pdf
- https://newtop-eg.com/userfiles/file/velazenaruruvexopowod.pdf
- http://mdbim.pl/ubezpiecz/obrazy/file/sasodurifutizopelurez.pdf
- http://orbitsecurity.qa/pro_mvp_tech/uploads/file/jewedobuzutida.pdf
- https://feedproxy.google.com/~r/skout/mBVl/~3/zMnd8XtcwSM/uplcv?utm_term=what+determines+if+a+bond+is+polar
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f237.bin` `136efa1ea2ed66a3eec8239e6eb06882dfb9d8afa96a33641aeb8ea31e38c469`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF237	18460 bytes
`font_01_sfnt_off000122dc.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x122DC	16792 bytes
`font_02_sfnt_off00013af3.bin` `af4a0793eabb945cbc1d804a545ae449b2ceabdfe75e87aefa461bc11c39c3de`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13AF3	10896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.