PDF malware analysis — malicious · b92ace9c63673eed

MALICIOUS

PDF

297.2 KB Created: 2021-07-03 15:45:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-20

MD5: a4c1588b52fba6b38e7ddab71068a314 SHA-1: 19ad2832e81a1a403bcb5923e4b0dd35f86f50f3 SHA-256: b92ace9c63673eedb28b1d15cb062425d2aa108c36e6b6778dd1768569a51332

226 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and exhibits characteristics of a phishing lure. It contains links pointing to compromised WordPress upload storage, suggesting an attempt to distribute malicious files or redirect users to phishing sites. The presence of multiple external URIs and a link farm pattern further supports this assessment.

Machine Learning

Nyx PDF Classifier malicious score 0.9377

Heuristics 8

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://anpheatingandac.com/nbloom/fckuploads/file/54343897616.pdf In PDF document text
- https://eclipsetheaters.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a9524fda704---63197874176.pdfIn PDF document text
- http://xn----8sbpvg0afdbe.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/tnnqlln2r3ilbrfrc74at5lcq0/nunuzoputiv.pdfIn PDF document text
- https://drsubhashawale.com/ckfinder/userfiles/files/96314632402.pdfIn PDF document text
- https://bcbc3399.com/upload/files/vuxapobuzomulomizezameni.pdfIn PDF document text
- https://abe-rdc.com/userfiles/file/57820241989.pdfIn PDF document text
- http://alt-1c.ru/userfiles/file/24912134677.pdfIn PDF document text
- http://feuerwehrobrigheim.de/upload/files/mutakiboz.pdfIn PDF document text
- https://webhostmurah.com/wp-content/plugins/formcraft/file-upload/server/content/files/16084ebe2ce609---rezegaboweti.pdfIn PDF document text
- https://shayangroup.net/wp-content/plugins/super-forms/uploads/php/files/869253918b8828492898d2048d79e5f8/52844887341.pdfIn PDF document text
- http://xn----8sbpvg0afdbe.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/ttblqg48dtocmdsdv3ng4uspa1/31852516723.pdfIn PDF document text
- https://gift-edu.ru/wp-content/plugins/super-forms/uploads/php/files/43dcd7093a3c829b494fee5ce488a431/38603310573.pdfIn PDF document text
- https://mujeresenmovimientoplus.com/userfiles/file/sinaxesaxapud.pdfIn macro / runtime command snippet
- https://myhoorayhealth.com/wp-content/plugins/super-forms/uploads/php/files/52n5tvamevo12kn6am0p26h4s6/tuparopeletadafu.pdfIn PDF document text
- http://vilaportugal.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a8d5764f933---51199966147.pdfIn PDF document text
- https://xlux.vn/wp-content/plugins/super-forms/uploads/php/files/o9f314pobgm8rfh5p731s5t450/guxogawevorabadivakowop.pdfIn PDF document text
- http://tuanlongland.com/upload/files/8819985176.pdfIn PDF document text
- https://completecollegestrategies.com/wp-content/plugins/super-forms/uploads/php/files/839a33fb383205329d27acfda0cacce6/fenubixipoluziruzazuzo.pdfIn PDF document text
- https://webmodeli.com/wp-content/plugins/formcraft/file-upload/server/content/files/16089b37833bf6---lerebulujowawapubusogume.pdfIn PDF document text
- https://condominiobrisasdelnorte.com/userfiles/file/pepaxunopunobemufax.pdfIn PDF document text
- http://hellnocancershow.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607225fe99f11---wasunukelabizizo.pdfIn PDF document text
- http://namngonviet.vn/user-/files/kezogederoxikejo.pdfIn PDF document text
- http://aelma.com/sites/default/userfiles/file/23282593412.pdfIn PDF document text
- https://gift-edu.ru/wp-conteIn macro / runtime command snippet
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/DOqCt-cVA4I/uplcv?utm_term=the+third+day+of+creationPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00041b20.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x41B20	16164 bytes
SHA-256: `fd494554c7a7a2c4488382a78096c535ff133766c7221992be4f6a58596b2467`
`font_01_sfnt_off00043092.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x43092	21664 bytes
SHA-256: `b9982dea43af25d6f67a893d1c414782885d573bbccc4a18e34efc9c998a99c6`
`font_02_sfnt_off000467ce.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x467CE	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_03_sfnt_off00047fe5.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x47FE5	10436 bytes
SHA-256: `deb29e5f529e95e65139acacc9e3d12c85c54ed6c727f553b9c6c5f08fb5023d`

Open this report in the interactive analyzer, or submit your own file for analysis.