PDF malware analysis — malicious · b443c568afef8074

MALICIOUS

PDF

94.9 KB Created: 2021-07-01 13:29:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-14

MD5: b378daeb0833868b421c51f3573103dc SHA-1: 2ee3a45938ae86b7f0a6e32d8f59f20eed97ab53 SHA-256: b443c568afef80749994021efdc208e2f74ed7a58fb2f41960d6780f119d38ef

196 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains numerous links to external sites, many of which appear to be compromised WordPress installations used for hosting malicious files. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates the document likely provides instructions to decrypt an archive, a common tactic to evade gateway security. The ML classifier and ClamAV detection strongly suggest malicious intent, likely to deliver a second-stage payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9822

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://pistant.ru/uplcv?utm_term=how+to+get+free+robux+without+password PDF link annotation
- https://www.sanier.pl/wp-content/plugins/super-forms/uploads/php/files/q1t8k7rmq9sl9me76nlupqcrbn/90526441516.pdfIn PDF document text
- http://etasystem.net/userfiles/files/pinukokevowufusibejeduk.pdfIn PDF document text
- http://vitanova-cattery.com/upload/file/23813072727.pdfIn PDF document text
- https://mebelpozakazu.ru/wp-content/plugins/super-forms/uploads/php/files/b8199fa42a44d85442ea973bb5332b3f/dejaxoweloxujisunerame.pdfIn PDF document text
- http://ajivikafinance.com/userfiles/file/65292348546.pdfIn PDF document text
- http://discarga.com/wp-content/plugins/formcraft/file-upload/server/content/files/160748791258a2---85987282324.pdfIn PDF document text
- http://associacaoguainumbi.org.br/wp/wp-content/plugins/formcraft/file-upload/server/content/files/1608e51c04735d---rokexowolirilam.pdfIn PDF document text
- http://yuseigachi.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1607d607de8048---rodokazibitegutetefejob.pdfIn PDF document text
- https://webtraffic.ch/wp-content/plugins/super-forms/uploads/php/files/mcuu8ue4hdrpb2pfsvedqmmc2u/21703130641.pdfIn PDF document text
- http://ozhelalikram.de/resimler/files/40560709600.pdfIn PDF document text
- http://forter.vn/hinhanh/file/tiroromunoleta.pdfIn PDF document text
- https://nadamasristorante.it/file/gebixelimosofat.pdfIn PDF document text
- https://www.helpagesl.org/wp-content/plugins/formcraft/file-upload/server/content/files/16090d3f3dc81e---tigarasejebevurevanodod.pdfIn PDF document text
- https://www.engltg.com/wp-content/plugins/super-forms/uploads/php/files/5fef04bb1a5a043a42cad8e76cb1f950/pisamikidadadegulewase.pdfIn PDF document text
- http://www.sarajevo-inn-grunewald.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ad16b601115---1326083004.pdfIn PDF document text
- http://constructionone.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1608d07126168d---nikubexasem.pdfIn PDF document text
- http://premiumresourcing.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608303fabdd39---bodowikofu.pdfIn PDF document text
- https://eandjfamilyhealthcenter.com/wp-content/plugins/super-forms/uploads/php/files/2ad39a88fc65e106272466a2afb17ece/komebomipepovi.pdfIn PDF document text
- http://maslatalaia.com/userfiles/file/lofurulotaxasalujigedam.pdfIn PDF document text
- http://extintoresorigen.com/images/editor/gepigi.pdfIn PDF document text
- https://audit-advisers.com/userfiles/file/39224210050.pdfIn PDF document text
- http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b4d4c210637---29454935674.pdfIn PDF document text
- http://malagi.pl/user-files/fck/file/36116519866.pdfIn PDF document text
- http://birzebbugastpetersfc.com/files/file/61488638993.pdfIn PDF document text
- https://weblative.com/wp-content/plugins/super-forms/uploads/php/files/9rf8ibcj916lhd1l58gj0tuan0/3872677349.pdfIn PDF document text
- http://englandmatchshirts.com/assets/file/54631581698.pdfIn PDF document text
- http://kcobafl.org/ckfinder/userfiles/files/40408545056.pdfIn PDF document text
- https://madopin.com/calisma2/files/uploads/kixibani.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00010c92.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10C92	18036 bytes
SHA-256: `85ba021e7d5d2b1b87758a01ec76e86d84324afef1ea8e0d0fd92115fba62e56`
`font_01_sfnt_off00013bb8.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13BB8	11044 bytes
SHA-256: `0b100eb7e4fd066b62e017b9f9ee320c256f2b368f8a8ec9279da54fce93fb64`
`font_02_sfnt_off0001553a.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1553A	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`

Open this report in the interactive analyzer, or submit your own file for analysis.