PDF malware analysis — malicious · b72fa5d6509b3b4e

MALICIOUS

PDF

82.9 KB Created: 2021-09-13 01:26:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: c2c86b73f9ba8570d9b756c7a988c7b8 SHA-1: 762ed45701b69ba114a67e583b679d2b8cfb150f SHA-256: b72fa5d6509b3b4e4bf8fea5c4fdfce0ad846c107be7dbba2f5405fe3d061ae2

164 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript and numerous external URIs, many of which point to compromised or disposable hosting. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates a deliberate attempt to create a network of links for SEO manipulation or to host malicious content. The embedded JavaScript likely facilitates the redirection or execution of further malicious actions, contributing to a phishing or malware distribution scheme.

Machine Learning

Nyx PDF Classifier malicious score 0.9846

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.sloepverhuur-debiesbosch.nl/upload/files/38377137814.pdf
- http://sm300159.agchost.com/userfiles/files/feligi.pdf
- https://krantiservice.com/ckfinder/userfiles/files/dadek.pdf
- http://soosanfix.com/upload/fckeditor/file/kozukufifijorawabanij.pdf
- https://bandotrading.com/uploads/file/84981659535.pdf
- http://mptech.vn/ckfinder/userfiles/files/78877679493.pdf
- http://www.huntsvillepr.com/files/files/somex.pdf
- http://tykhchem.com/upload/files/1769528927.pdf
- http://sjmhospital.org/files/js/ckfinder/userfiles/files/94669650988.pdf
- http://dolekkoyum.com/admin/UserFiles/file/83587133265.pdf
- http://cassotech.nl/site/data/ws/files/63661360624.pdf
- https://skvacations.com/userfiles/file/44420007298.pdf
- https://maconlux.lu/userfiles/files/fomilalimemef.pdf
- http://descanso.verareyes.com/ckfinder/userfiles/files/75055658012.pdf
- https://cleartunemonitors.com/ckfinder/userfiles/files/xisuripalaralobebunos.pdf
- http://fortlauderdalelimorental.net/wp-content/plugins/formcraft/file-upload/server/content/files/1612ebf88f3044---17124876451.pdf
- https://wacee.net/wp-content/plugins/formcraft/file-upload/server/content/files/161375a54a6563---88565421105.pdf
- https://maxlinder.com/admin/assets/ckfinder/userfiles/files/59827836019.pdf
- https://alkoplast.rs/files/39229421578.pdf
- http://yoron.net/up/files/sazegutelemifeziven.pdf
- http://apluskleaning.com/admin/images/file/76058082428.pdf
- http://hglobaltour.com/FileData/ckfinder/files/20210909_62C6946FE4612F74.pdf
- https://manhalhealing.com/userfiles/file/96855922950.pdf
- http://sbs-group.co/userfiles/files/84759083412.pdf
- http://mega-gold.com/userfiles/files/neludadakewebozubijev.pdf
- http://subventionsbetrug.de/wp-content/plugins/super-forms/uploads/php/files/40kloehgqemg81b9b65guqo6r8/8922550673.pdf
- https://feedproxy.google.com/~r/skout/mBVl/~3/3CAf4wW3hvY/uplcv?utm_term=how+to+copy+link+android
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000dec0.bin` `7ccf3687df3b0dc9acdb494b06cfde86130c0c624774c6a5163443d40f4a36f5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDEC0	18376 bytes
`font_01_sfnt_off00010e28.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10E28	16792 bytes
`font_02_sfnt_off0001263f.bin` `452f6f96bd57e2155b33bbfe6db8824d1eaf61a56becbb77052ab54a603827ae`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1263F	10492 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.