PDF malware analysis — malicious · bef9e50fd40e611c

MALICIOUS

PDF

72.3 KB Created: 2021-09-03 19:25:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 0056d3480b92d4695c4ddd899f6293dd SHA-1: 57c83548207ad6fe630a1842bd377d4d336ecbb1 SHA-256: bef9e50fd40e611cbd9ae843a1bf032a52d0471f49bc72055a5a41960097cc95

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains a large number of links, many of which point to compromised WordPress sites hosting other PDFs. The ML classifier strongly indicates maliciousness, and the structure suggests a link farm designed to redirect users to potentially malicious content. No scripts were extracted, but the overall pattern is consistent with a phishing or redirection campaign.

Machine Learning

Nyx PDF Classifier malicious score 0.9973

Heuristics 5

PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://spaslask.pl/wp-content/plugins/super-forms/uploads/php/files/id7f64pfjmn2v1qbgdv6htpvfv/70746551410.pdf
- https://acornschoolcharleston.org/wp-content/plugins/super-forms/uploads/php/files/6ca1997636c4ee383cc8b720a408d07a/43255769504.pdf
- https://ancoraeducacion.com/images/vivebupewavuwunolejokib.pdf
- https://orderpoet.com/ckfinder/userfiles/files/10524862738.pdf
- http://inlovehuahin.com/file_media/file_image/file/bagorasumuduxiziwi.pdf
- https://www.sabiamente.es/wp-content/plugins/formcraft/file-upload/server/content/files/16099ecd733dc9---98804255832.pdf
- https://www.chinacimctrailer.com/wp-content/plugins/super-forms/uploads/php/files/9672326be5da8d53ec4c6ca587ead0b1/bezizemugo.pdf
- http://twilaw.com/files/files/63902115097.pdf
- http://limpiasol.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a2892c8e911---15144823523.pdf
- http://navigator-nsk.ru/userfiles/file/bononatije.pdf
- http://qataminational.com/uploaded_files/userfiles/files/boxibimopil.pdf
- https://fortlauderdale-carservice.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608a171524c11---likubijexode.pdf
- https://aildf.in/userfiles/file/79100249264.pdf
- http://ambvet-trefontane.eu/userfiles/files/pizabimazeku.pdf
- https://shotclock.ca/wp-content/plugins/super-forms/uploads/php/files/595ed8e5562fa3ed2173139c2022384a/54701101413.pdf
- http://volkshilfe-ktn.at/images/content/files/78864595181.pdf
- https://bentzendesign.se/wp-content/plugins/formcraft/file-upload/server/content/files/160b1a2a2ac1b4---49209113884.pdf
- http://weberstellen.ch/userfiles/file/gozawalemed.pdf
- https://www.lipfish.no/wp-content/plugins/formcraft/file-upload/server/content/files/160b5e16fcc05f---jifuzite.pdf
- http://rockpapersun.com/upload_mce_image/file/46240482164.pdf
- http://sinojjacob.com/userfiles/file/39060664513.pdf
- https://dermo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b0977862173---remuduxipivanel.pdf
- http://s8radziejowice-paszkow.pl/userfiles/file/fazedufilogojev.pdf
- http://tachikawa-derma.biz/ckfinder/userfiles/files/75964746449.pdf
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1KS0DP0cxss/uplcv?utm_term=decile+for+ungrouped+data+pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000b94b.bin` `3fed14ef6e0dccae9ac8307eb4a52d97c8a1327dfee8523daab44b9f2a71f3c9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB94B	16088 bytes
`font_01_sfnt_off0000e27e.bin` `02d906963ffe5c57648f6758ba1f954dd41c0938a763c074557d93440e9dea6b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE27E	10728 bytes
`font_02_sfnt_off0000fb06.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFB06	16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.