PDF malware analysis — malicious · c41e8aae4ecd73b5

MALICIOUS

PDF

102.3 KB Created: 2021-07-08 12:43:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: b7392d66f170df6774824b5bfa649b88 SHA-1: 25423d04e4c8a9c3b38c40c11c25c0c6f8ad66fc SHA-256: c41e8aae4ecd73b5bb6a1eacd049871c1ed8505c90c4771602313e07c78ea9f8

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF sample was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. Heuristics indicate it functions as a link farm, directing users to multiple external URLs, some hosted on compromised WordPress sites. The presence of numerous URLs, many with 'utm_term' parameters, suggests an attempt to direct users to potentially malicious content or phishing pages.

Machine Learning

Nyx PDF Classifier malicious score 0.9956

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://cructi.ru/uplcv?utm_term=bring+me+back+book+review
- http://tccsrl.org/userfiles/files/bubixunav.pdf
- https://buka.ru/sadm_files/6843247815.pdf
- https://muratay.nl/userfiles/file/zesaz.pdf
- https://nhakhoaanphuoc.vn/uploads/files/xemapexijuri.pdf
- http://mini-garden.ru/userfiles/file/pukonomigevoxidemasitabez.pdf
- http://ipvoicenj.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e6546e51b8---xavizipozokoxunudijake.pdf
- https://atlastoursntravels.com/userfiles/file/96366783237.pdf
- http://smartvoicecom.com/userfiles/12823553356.pdf
- https://www.heainc.com/wp-content/plugins/formcraft/file-upload/server/content/files/160acf81ecf647---xigerinazaxikulazelozatud.pdf
- https://adiwirawanbali.com/wp-content/plugins/super-forms/uploads/php/files/dc5726cc47b28c820fe34e35353ae7bc/xebafaturoki.pdf
- http://gccde.com/downloads/blog/geust/files/96774126927.pdf
- http://goldmustang.com/files/files/26824953102.pdf
- http://www.psstrecno.sk/wp-content/plugins/formcraft/file-upload/server/content/files/160a5ffb53e6ee---nonek.pdf
- https://n95america.com/wp-content/plugins/super-forms/uploads/php/files/44b42bac46fbc2eab24de5a8528c181f/sewiguxaxovewusaru.pdf
- http://bora.su/ckfinder/userfiles/files/fuvuvadazojifo.pdf
- https://sgdivorcelawyers.com/wp-content/plugins/super-forms/uploads/php/files/8e671f4d4d57286fc5e3d1c9d01fe2fe/13502434350.pdf
- http://www.homefacelifters.com/wp-content/plugins/super-forms/uploads/php/files/9f8614fe157182813d0126bb78602349/20347100155.pdf
- http://ovartec.com/wp-content/plugins/formcraft/file-upload/server/content/files/160709647a5dc2---2497373211.pdf
- http://romanakladatelstvi.cz/userfiles/file/7007703043.pdf
- https://www.verpoort-bouw.be/wp-content/plugins/formcraft/file-upload/server/content/files/1609956ed5a6a0---86852819699.pdf
- http://jeugdopdewetenschapsagenda.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1608f11c7934f6---buginitetonuji.pdf
- https://www.bountyvacation.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606fcad4ca4bf---33282915183.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00012cba.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12CBA	16792 bytes
`font_01_sfnt_off000144cc.bin` `137d6a12b80b74076a455c76a339afb6b8f3871290b9243902cfa4e5e9a60e21`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x144CC	17800 bytes
`font_02_sfnt_off00017378.bin` `2acd95e2284115b835c0c2d838219333055ca2eced4d33893811594e54c6e033`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x17378	10700 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.