PDF malware analysis — malicious · ab85bcd030c9aac3

MALICIOUS

PDF

69.0 KB Created: 2021-09-22 10:17:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 691940408766a8a5a751f26621c0f6e4 SHA-1: 6710d8a1261201ef41ccbff3ebd20dfa5a0a59d2 SHA-256: ab85bcd030c9aac3ce6850e79e610685123b90cf22586436cce34b3692740f9a

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was flagged by multiple heuristics as malicious, including a ML classifier and ClamAV, indicating it is likely a phishing or malware distribution lure. It contains numerous external links, many pointing to compromised CMS uploads or disposable hosting, suggesting a link farm designed to redirect users to malicious sites. The document body is heavily obfuscated and unreadable, providing no direct content clues, but the presence of many URLs strongly suggests a redirection or phishing attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9965

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://infrive.ru/uplcv?utm_term=block+craft+3d+unlimited
- https://www.pietri-automobiles.com/wp-content/plugins/super-forms/uploads/php/files/5bnrru0b57umqisdbn59h15mfq/miraginuxabutemidiwefaxo.pdf
- https://kaowei.tw/image/files/20210904_120323.pdf
- http://capriololaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/suxudejizewokumakawuxev.pdf
- https://bloomeng.com/uploads/kasuko.pdf
- https://rpaxis.net/userfiles/file/neteribopi.pdf
- https://www.totspotdaynursery.co.uk/ckfinder/userfiles/files/91488132664.pdf
- http://4998horo.gmmwireless.com/contents/files/82851252045.pdf
- http://www.mueblesgamez.com/ckfinder/userfiles/files/ranesomi.pdf
- https://hocaukhudothithanhphogiaoluu.com/asset/site/files/55760347234.pdf
- https://www.shopveriamici.com/wp-content/plugins/super-forms/uploads/php/files/bo918s0e2cn7cftcfft24jsnqc/95285251447.pdf
- http://dulwichtaxi.com/survey/userfiles/files/72183994023.pdf
- https://ceramicasvillaflor.cl/UserFiles/File/95633117999.pdf
- http://www.whirlpool-beachcomber.at/wp-content/plugins/formcraft/file-upload/server/content/files/16138a9cf67ad8---22720871033.pdf
- https://stoneappeal.in/FCKeditor/file/xalizus.pdf
- https://888nv.ru/userfiles/file/52820801333.pdf
- http://www.danvillern.com/wp-content/plugins/super-forms/uploads/php/files/d9bf4ad7da138940a787227d0e57a81d/gogino.pdf
- http://hide-bo.com/img/tmp/file/55525327285.pdf
- http://orem.mn/uploads/files/mumivavazusulajodanawosoz.pdf
- https://yourtuscanyguide.com/wp-content/plugins/super-forms/uploads/php/files/6jd4ia73teer97snhvrkt1d0q5/71380975310.pdf
- http://www.primariasantana.ro/uploads/file/5823300268.pdf
- http://mannaz.pl/userfiles1/file/wumapekevizezuminopi.pdf
- http://cargo3030.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1612e9a943d2c4---67885216453.pdf
- https://bdaudit.ro/userfiles/file/41942584289.pdf
- http://utpcomp.ru/uploads/files/72664287985.pdf
- https://yaofangpeixun.com/upload/files/10706840607.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000b10f.bin` `5fdaf6d9366626383c6dfd68550b7a05f9f53b5fa25841c36043f62d9f54e409`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB10F	14492 bytes
`font_01_sfnt_off0000d565.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD565	16792 bytes
`font_02_sfnt_off0000ed7c.bin` `d113d4fa9546a794e80dbab22a19a40be01c987b8a3e09420711c2e424d7c129`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xED7C	10888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.