PDF malware analysis — malicious · ac172b5a77cb30c4

MALICIOUS

PDF

81.3 KB Created: 2021-07-04 18:30:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-13

MD5: e698a75b276fa133a4995f6db8fe44bb SHA-1: 36d4ca55ffef50adfe67e2f9fcef5288b181faad SHA-256: ac172b5a77cb30c43b264b4fceb9c0c7fdd2a83bc94d490a1df216efe230cfe8

204 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and numerous links, many pointing to compromised CMS uploads and disposable hosting, indicating a malicious intent to redirect users. The ClamAV detection and ML classifier strongly suggest this PDF is a phishing or malware distribution vehicle. The embedded JavaScript likely facilitates the redirection or execution of further malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.9949

Heuristics 8

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK

PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://aucoindeshalles.com/menu/file/58241427423.pdf In PDF document text
- https://swotin.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609c23a917cfd---51655104100.pdfIn PDF document text
- https://www.prestigeautobody.com.au/wp-content/plugins/super-forms/uploads/php/files/b4ed229890283712bed441c132a19a22/47285015260.pdfIn PDF document text
- https://www.elitelawnsolutions.co.uk/wp-content/plugins/super-forms/uploads/php/files/q724q53taeeqgq5cjcc73gcfq9/97006468898.pdfIn PDF document text
- http://xn--90ad5ackt1d.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/b1236d8181351847c801bde0053dfd7e/zedosigebiwolenikujo.pdfIn PDF document text
- https://selectwifi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c98c8f26bd3---2489415391.pdfIn PDF document text
- http://www.hkwebdesign.com.hk/wp-content/plugins/formcraft/file-upload/server/content/files/16075d07acddad---kulazuwubilikaz.pdfIn PDF document text
- http://score1forspencer.com/clients/4/45/4587145e2679cb7673d0e21b436e5c25/File/56795701543.pdfIn PDF document text
- http://www.grundys.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16080409b58433---nodizas.pdfIn PDF document text
- http://rethabise.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160748a246ad93---90491731063.pdfIn PDF document text
- https://bbensonmft.com/wp-content/plugins/super-forms/uploads/php/files/b29c28f10b40c0c5399aaffc606bf4e2/norulatizisuluw.pdfIn PDF document text
- http://www.microsinusectomi.com/wp-content/plugins/formcraft/file-upload/server/content/files/16077a1c24ca8f---84913566741.pdfIn PDF document text
- http://industra.sk/userfiles/file/83093844116.pdfIn PDF document text
- https://www.idahomedia.com/wp-content/plugins/super-forms/uploads/php/files/78d1c83b90f0bfe02ca48ab5de7c7c77/feluxiwoxax.pdfIn PDF document text
- http://cbelmira.com/wp-content/plugins/super-forms/uploads/php/files/7qjkok6354cvsl1q2187sqts95/viginifajijuvumawane.pdfIn PDF document text
- https://armagedonspedycja.pl/files/file/81049254471.pdfIn PDF document text
- http://www.caribbeandentist.com/wp-content/plugins/formcraft/file-upload/server/content/files/16075ccfa8bb53---32955935575.pdfIn PDF document text
- http://www.nandomoraes.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607fdec347143---wimatunipogadadodu.pdfIn PDF document text
- http://perseverance.cyou/updatefiles/file/xadaxiwarusiravib.pdfIn PDF document text
- http://ventiliatoriai.lt/js/ckfinder/userfiles/files/56304085872.pdfIn PDF document text
- http://samafb.org/uploadfilefiles/jexitepulazenoxaruwi.pdfIn PDF document text
- http://doublehappyvstheinfinitesadness.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609e9d9e73cdd---99988203046.pdfIn PDF document text
- http://jfhcoaching.nl/userfiles/files/84354298439.pdfIn PDF document text
- http://nesemlak.com/test/images/uploads/files/zifux.pdfIn PDF document text
- https://feedproxy.google.com/~r/skout/mBVl/~3/S30rS-6n6vg/uplcv?utm_term=gregor+and+the+rats+of+underlandPDF link annotation
- http://crossfit28.com.s125853.gridserver.com/siteuploads/editorimg/file/kopomufef.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d7b6.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD7B6	17624 bytes
SHA-256: `a7639dbebfab167fc8002eef97d225f76eede569429a9df4de8587670d348dfe`
`font_01_sfnt_off000105ee.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x105EE	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_02_sfnt_off00011e05.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11E05	10680 bytes
SHA-256: `ab379ab609d65a3f548d6fe7ac0156b53d72cd7eabbb4214925d13d69afac010`

Open this report in the interactive analyzer, or submit your own file for analysis.