PDF malware analysis — malicious · c71df554580702b4

MALICIOUS

PDF

85.4 KB Created: 2021-06-30 06:31:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-06-05

MD5: b07159400b782418fd02306d9e6e4355 SHA-1: 643236108fbe682f0de42b1af90a72e033bf9d24 SHA-256: c71df554580702b4a7a8b0670f4712c125489a243a44ba4bc39107585fa5466d

276 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1534 Steal or Forge Credentials

This PDF document exhibits multiple social engineering tactics, including lures for MFA/one-time-code harvesting and instructions for password-protected archives, suggesting an attempt to steal credentials or bypass security controls. The presence of numerous embedded URLs, many pointing to potentially compromised CMS upload directories, further supports a phishing or credential harvesting attack pattern. While no scripts were directly extracted, the overall structure and heuristic firings strongly indicate a malicious intent to deceive the user.

Machine Learning

Nyx PDF Classifier malicious score 0.9860

Heuristics 9

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
ClickFix social engineering attack high SE_CLICKFIX

Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
MFA / one-time-code harvesting lure high SE_MFA_LURE

Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://rajatotogroup1.com/contents//files/60995221066.pdf In PDF document text
- http://alkanboya.com/files/file///51020755129.pdfIn PDF document text
- https://dermo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b7b53b854a1---vidifiwol.pdfIn PDF document text
- http://jrpst.pl/userfiles/file/38966954720.pdfIn PDF document text
- https://neoville.ru/wp-content/plugins/super-forms/uploads/php/files/f4d73688e7ee7483a57d2acb05c5b4d7/rovabesog.pdfIn PDF document text
- https://maugli24.ru/wp-content/plugins/super-forms/uploads/php/files/8882ef565729b422a5c21e4a8073097b/jujedasuwuzomonu.pdfIn PDF document text
- https://www.harnoordesigns.com/wp-content/plugins/super-forms/uploads/php/files/ipmejk3l4ou3avbsujlb5sq3e4/89180509776.pdfIn PDF document text
- http://www.auditsi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a3e81190b8c---66074585109.pdfIn PDF document text
- http://associacaoguainumbi.org.br/wp/wp-content/plugins/formcraft/file-upload/server/content/files/160a8671dd1789---29018090879.pdfIn PDF document text
- http://www.oschouston.com/osc/wp-content/plugins/formcraft/file-upload/server/content/files/160a322475ae39---37142569006.pdfIn PDF document text
- https://kede.org/userfiles/file/xididomiluvuxik.pdfIn PDF document text
- https://www.elementstraining.co.uk/wp-content/plugins/super-forms/uploads/php/files/r8t2v98793s9kmvg2tp1vdcajd/jabenoxiroko.pdfIn PDF document text
- http://csc0351.com/userfiles/file/20210623084650_7aj46f.pdfIn PDF document text
- https://www.adler-leitishofen.de/wp-content/plugins/formcraft/file-upload/server/content/files/16095c967f11d3---70070197366.pdfIn PDF document text
- https://vishalahospitality.com/ckfinder/userfiles/files/77049622789.pdfIn PDF document text
- https://www.elitelawnsolutions.co.uk/wp-content/plugins/super-forms/uploads/php/files/jn5ho2p364jmssg1tddd6mg4kt/mipasivaj.pdfIn PDF document text
- http://lt101shop.com/userfiles/files/53383873348.pdfIn PDF document text
- https://srp-galabau-rostock.de/wp-content/plugins/super-forms/uploads/php/files/9etf8s6bd67hpedo1s96jilnsd/sosumopojisas.pdfIn PDF document text
- https://ises.ca/phpsites/vertical_living/uploads/file/71984377926.pdfIn PDF document text
- https://www.nestroots.com/wp-content/plugins/super-forms/uploads/php/files/t3kam4m3tnte7f04jf1i1cp861/xewubakudubabilulukaxiguz.pdfIn PDF document text
- https://caravanandre.it/wp-content/plugins/super-forms/uploads/php/files/5964c33dac5cff38599b0f5903401a05/mitafejodexug.pdfIn PDF document text
- https://ncvpte.in/userfiles/file/fitusunab.pdfIn PDF document text
- https://matrainagycsalados.hu/userfiles/file/vomofalena.pdfIn PDF document text
- http://infinity-pro.ru/userfiles/file/gedinarebizawuvif.pdfIn PDF document text
- https://apparel.allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/96a07da480888106b4895ba7e09c8e7b/94914294140.pdfIn PDF document text
- http://sola-brothers.com/userfiles/file/nekuwaxutatexafi.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/zMnd8XtcwSM/uplcv?utm_term=how+to+encrypt+a+pdf+file+in+windows+10PDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e975.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE975	17240 bytes
SHA-256: `c84ba123a55fe2efc9310769ee93c36b404dd5b42763da6c7dd1f1ee335f3f32`
`font_01_sfnt_off0001165c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1165C	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_02_sfnt_off00012e73.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12E73	10980 bytes
SHA-256: `0071b39bb577163bab5795b860f2e6dabf7246fa7f62d27794f319cbb64e3510`

Open this report in the interactive analyzer, or submit your own file for analysis.