PDF malware analysis — malicious · c5c7da2ae908a394

MALICIOUS

PDF

63.5 KB Created: 2021-09-08 06:33:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-16

MD5: 603df4d19b6f0c7749c0cd7dc7dd6cb4 SHA-1: d5e0e51de501377220b5f4e70fc0ff0d568c0e26 SHA-256: c5c7da2ae908a394d22754dce3cb86f2264b17fed7cf4b33361778d1dcc16013

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous embedded URLs pointing to compromised WordPress sites and other domains, indicating a link farm designed to redirect users to potentially malicious content. The ClamAV detection and ML classifier strongly suggest a phishing or trojan payload delivery. The document body is heavily obfuscated and unreadable, providing no direct textual clues, but the overall structure and heuristic firings are indicative of a malicious intent to lure users to external sites.

Machine Learning

Nyx PDF Classifier malicious score 0.6700

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://philabc.ru/uplcv?utm_term=bomba+sodio+potasio+pdf PDF link annotation
- https://www.eziblank.com/wp-content/plugins/super-forms/uploads/php/files/53024fe13855db6268be99d5c116f280/76831069391.pdfIn PDF document text
- https://mttrasportisrl.it/dati/upload/file/39269307800.pdfIn PDF document text
- http://vegasoft.hr/wp-content/plugins/formcraft/file-upload/server/content/files/1606ce50ea3dff---buweduxelijebutaweboge.pdfIn PDF document text
- http://nhactheducthammy.com/upload/files/15706531624.pdfIn PDF document text
- http://fabtur.ru/upload/files/10507583671.pdfIn PDF document text
- http://homelife-superstars.com/image/files/pifatunidatidovubuw.pdfIn PDF document text
- http://3bbb.fr/ckeditor/upload/files/33238119293.pdfIn PDF document text
- https://hyundainhapkhau.vn/upload/files/26763655518.pdfIn PDF document text
- https://trotusgrup.ro/ckfinder/userfiles/files/zosonutezi.pdfIn PDF document text
- https://butterfly-propertymanagement.com/userfiles/file/8435428371.pdfIn PDF document text
- https://textolinguisticsolutions.com/upload/editor/file/sikukatatotowili.pdfIn PDF document text
- http://sarahscupcakery.com/wp-content/plugins/formcraft/file-upload/server/content/files/160708e2a5bcc0---61521768580.pdfIn PDF document text
- http://nfc.soo.jp/file/5067202913.pdfIn PDF document text
- https://www.mclarenpress.com/wp-content/plugins/formcraft/file-upload/server/content/files/160750f02b20ed---51632728668.pdfIn PDF document text
- https://b2cexpressdemo.com/userfiles/file/60623158926.pdfIn PDF document text
- http://dokumsuzgec.com/userfiles/files/59377999826.pdfIn PDF document text
- http://xn--80aaaghhaztbcd1agjgbccsgfftf.xn--p1ai/pict/file/88444627230.pdfIn PDF document text
- https://riolospettacoli.it/filesUploads/file/33821822361.pdfIn PDF document text
- https://www.allterra.group/wp-content/plugins/super-forms/uploads/php/files/b4128461ed711f3f8ca7ba4d90a52aee/5058286763.pdfIn PDF document text
- https://kachhiproperties.com/wp-content/plugins/super-forms/uploads/php/files/45300dc6486b695d421b7701be0b34b1/70782183315.pdfIn PDF document text
- http://www.holzbau-hoelzl.at/wp-content/plugins/formcraft/file-upload/server/content/files/160c28525e5e41---96863750838.pdfIn PDF document text
- https://www.aironface.com/wp-content/plugins/super-forms/uploads/php/files/c3b790ae02519f6a5e9997b0cbb385b6/newiligi.pdfIn PDF document text
- http://ecohost.ru/pics/images/file/30212349577.pdfIn PDF document text
- http://movementlab.dk/userfiles/file/mavaligu.pdfIn PDF document text
- https://primax.fr/wp-content/plugins/super-forms/uploads/php/files/9ev3onhrmj2hgf7b82bkcgomm1/99776962515.pdfIn PDF document text
- http://m2mus.pro/clients/b/b1/b1ca46fdb12d68e762e4a8b3318caec0/File/refivewovupejoparozobenag.pdfIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c247.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC247	16648 bytes
SHA-256: `8823c83ed04a1899133e864168f770138a828e702e1834d127e93bcdd83662ec`

Open this report in the interactive analyzer, or submit your own file for analysis.