PDF malware analysis — malicious · aaba2d2cfc111ef8

MALICIOUS

PDF

87.4 KB Created: 2021-06-27 14:06:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 2ad2023069c03c0b3e7675044edbbb43 SHA-1: 4528e313e1b1c77ad81d57d45ccb94945463da10 SHA-256: aaba2d2cfc111ef84403cbc3a56dec5d03438407a44a955d845265d7132d1844

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs, many of which point to compromised WordPress sites. The ML classifier and ClamAV detection strongly indicate maliciousness, with ClamAV identifying it as a phishing trojan. The primary attack pattern observed is the use of a link farm to direct users to potentially malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.9948

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.vitrierbxl.be/wp-content/plugins/formcraft/file-upload/server/content/files/160a04488b9b65---68438495687.pdf
- https://theemperorsoldclothes.co.uk/wp-content/plugins/super-forms/uploads/php/files/omosb4tv1tga4tqlrfacdcdop8/58331282096.pdf
- http://www.molinoag.com/wp-content/plugins/formcraft/file-upload/server/content/files/160be026fedba0---mukuxerabekapuwiset.pdf
- http://topcudental.com/img/userfiles/files/pajetekijawadijelegip.pdf
- http://eprdel.cz/userfiles/file/42181227475.pdf
- http://www.oschouston.com/osc/wp-content/plugins/formcraft/file-upload/server/content/files/1606c8059d1f82---damakotul.pdf
- https://jennysbooks.com/wp-content/plugins/super-forms/uploads/php/files/7c792d49100a3af76fd580ff7064644a/88082927786.pdf
- https://kimtuong.vn/isc/public/files/fckupload/file/92447527118.pdf
- http://lateonsettay-sachs.org/userfiles/file/togipi.pdf
- http://samtekelektrik.com/files/xexulafirumum.pdf
- http://ekotop.eu/userfiles/file/14983799440.pdf
- http://meble-tk.pl/userfiles/file/3561267179.pdf
- http://a-range.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160c781a34772f---53339693242.pdf
- http://penoplex24.ru/wp-content/plugins/formcraft/file-upload/server/content/files/16098522f156e8---9110781190.pdf
- https://cplastik.com/data/cms/file/10054367337.pdf
- https://lorenzonimmigrationlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c991549d6aa---67988041895.pdf
- https://arichaindia.com/userfiles/file/xosimisu.pdf
- http://kemenyseprosiklos.hu/upload/file/lulosuxa.pdf
- http://fence-alarm.com/userfiles/files/xiravisej.pdf
- https://amitadevnani.com/userfiles/file/ziripuno.pdf
- http://banghetretunhien.com/media/ftp/file/81681664619.pdf
- http://tpdw.pl/userfiles/file/16639645752.pdf
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/S30rS-6n6vg/uplcv?utm_term=angels+camp+city+museum
- https://bxthirteen.wpengine.com/wp-content/plugins/super-forms/uploads/php/files/dfed43b7f7394dfcf2e2cfcbd9ab4fc4/20044684310.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f30d.bin` `48f08e14e79d24e673b0378b025e91b725c5ca2026af692884e2a345067d5723`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF30D	17008 bytes
`font_01_sfnt_off00011fac.bin` `50fcfd79427969c135af16eb9662bae74b44b7ddf067e777d8dee8fbf385e12f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11FAC	10692 bytes
`font_02_sfnt_off00013843.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13843	16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.