PDF malware analysis — malicious · bde46aa96738cddf

MALICIOUS

PDF

78.9 KB Created: 2021-08-15 05:34:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-03

MD5: cb283221bc5e04c132010078bc2adc2a SHA-1: c6cd281f54b48e3ca6457854071c9559d54f4172 SHA-256: bde46aa96738cddf386e050c7eea7903a4e6f82c8cd22d638e8a7040afc119c6

132 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript and a significant number of external URIs, many of which point to compromised WordPress upload directories. These links form a link farm, likely intended to redirect users to malicious sites or phishing pages. The ClamAV detection further supports its malicious nature, identifying it as a phishing trojan.

Machine Learning

Nyx PDF Classifier suspicious score 0.4208

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://wastran.ru/uplcv?utm_term=korean+alphabet+with+english+translation PDF link annotation
- http://finsura-lifedirect.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160ba935f47d6d---53544695966.pdfIn PDF document text
- http://vilaportugal.com/wp-content/plugins/formcraft/file-upload/server/content/files/16089f8b1cf8e5---ditezukefomikomosasisem.pdfIn PDF document text
- http://www.finanzanlagen-honorarberatung.de/wp-content/plugins/formcraft/file-upload/server/content/files/16100d91bb57db---revusosarowatavajake.pdfIn PDF document text
- https://hmanagement.net/userfiles/file/3742404281.pdfIn PDF document text
- https://amursvoidom.ru/media/files/manipepeg.pdfIn PDF document text
- http://anthonyvienna.com/sites/default/files/file/29679590767.pdfIn PDF document text
- https://summit-christian-academy.org/scauserfiles/files/tifafekakilebusedeje.pdfIn PDF document text
- https://resulgame.com/calisma2/files/uploads/mapapap.pdfIn PDF document text
- https://specialbrands.gr/wp-content/plugins/super-forms/uploads/php/files/2e45cc967f880c59d77be6df944d38bc/dafagakukudixivivadof.pdfIn PDF document text
- http://conservativista.com/js/ckfinder/userfiles/files/rakugavadadu.pdfIn PDF document text
- http://broadgatecapital.com/userfiles/file/65280455217.pdfIn PDF document text
- https://tuabogadoangel.com/wp-content/plugins/super-forms/uploads/php/files/5f4daf5726d0237afbb09f8e25877d9e/didinu.pdfIn PDF document text
- https://strategieb2b.ca/userfiles/file/jexamusomewow.pdfIn PDF document text
- https://drahmetbostanci.com/wp-content/plugins/formcraft/file-upload/server/content/files/160754a247ec9a---92106726591.pdfIn PDF document text
- https://tcufroghouses.com/wp-content/plugins/formcraft/file-upload/server/content/files/160744d1d8ed80---38196951751.pdfIn PDF document text
- https://perleyparish.org/wp-content/plugins/super-forms/uploads/php/files/2af9b289fbbbe3afc56dbc6fa160d778/43593290882.pdfIn PDF document text
- http://okna-stv.ru/userfiles/files/pajebirepofabesi.pdfIn PDF document text
- https://kisikana.hr/userfiles/file/jixizurigofowuwezoxanaxe.pdfIn PDF document text
- http://videofilm-tv.ru/content/File/72677071851.pdfIn PDF document text
- http://agiteam.org/clients/b/b0/b0c4817036ef1cb73596cc935f3fa86d/File/83264952642.pdfIn PDF document text
- http://sosnovgeo.ru/userfiles/file/domigetubuwajozugek.pdfIn PDF document text
- http://universalestetic.com/userfiles/file/bagasuxokugiluxelovofudu.pdfIn PDF document text
- https://kolodezrus.ru/wp-content/plugins/super-forms/uploads/php/files/4d8a8ef1548b4c5433e6632e8a1364e4/jinegafaf.pdfIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e560.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE560	10748 bytes
SHA-256: `06355b4963712d83f0403571de8579d897742ffba43855f1bf963b94a30a3e83`
`font_01_sfnt_off0000fdd1.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFDD1	19520 bytes
SHA-256: `e312327fee8a2ecb00c630fbf26b154fa0bb6f4ba30789e6c83508d060a9a337`

Open this report in the interactive analyzer, or submit your own file for analysis.