PDF malware analysis — malicious · c90af496515525f8

MALICIOUS

PDF

80.4 KB Created: 2021-08-06 18:00:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-31

MD5: b21709561b1a40793aca2d0a0a57d538 SHA-1: f1c54014edd9af2e60d9aebfe0e9a1fa43b42591 SHA-256: c90af496515525f855d9853418f2fc9905558e653b8b6cad1f6124e4856ed017

132 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a PDF document containing embedded JavaScript, which is a common technique for exploiting PDF vulnerabilities. It also functions as a link farm, directing users to multiple external URLs hosted on compromised or disposable domains. The ClamAV detection as 'Pdf.Phishing.Trojan' strongly suggests a malicious intent, likely to phish credentials or deliver further malware via the linked sites.

Machine Learning

Nyx PDF Classifier suspicious score 0.3499

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://nomylo.ru/uplcv?utm_term=animal+jam+play+wild+hacks+no+human+verification PDF link annotation
- http://anatolianlgs.com/userfiles/file/fagerudipijo.pdfIn PDF document text
- https://nowackleverkusen.de/wp-content/plugins/formcraft/file-upload/server/content/files/1609fe26517d5a---47600572164.pdfIn PDF document text
- https://namratalakhotia.com/userfiles/files/fojipazolamitidolibu.pdfIn PDF document text
- https://www.shopveriamici.com/wp-content/plugins/super-forms/uploads/php/files/e9kffant8p1ql4busf39rin3qf/54480483351.pdfIn PDF document text
- https://pametnidom.hr/pametne_kuce/userfiles/file/sukotaripuludaneled.pdfIn PDF document text
- http://redwoodpwr.com/wp-content/plugins/super-forms/uploads/php/files/v4nplma287rij60b4i9bs74gb4/bozaseverodezoremabo.pdfIn PDF document text
- https://www.taxikladis.gr/wp-content/plugins/formcraft/file-upload/server/content/files/160c90384e73fb---kobutale.pdfIn PDF document text
- http://mundori.com/js/ckfinder/userfiles/files/tisawuxakozijoveba.pdfIn PDF document text
- https://verandapattaya.com/userfiles/files/vuvokiwilevuvebulinila.pdfIn PDF document text
- https://sgdivorcelawyers.com/wp-content/plugins/super-forms/uploads/php/files/669b896dfc619444acf333c83154cdd0/46062952799.pdfIn PDF document text
- http://kenshopvn.com/uploads/files/nanuvuserumixixuvolesojub.pdfIn PDF document text
- http://perlawarmii.pl/userfiles/file/76685047703.pdfIn PDF document text
- http://www.alquilerbares.com.ar/wp-content/plugins/formcraft/file-upload/server/content/files/1607919cc52cef---taxinemeninekikigefoba.pdfIn PDF document text
- https://hsse.cl/files/tabuvorikoliz.pdfIn PDF document text
- http://www.whirlpool-beachcomber.at/wp-content/plugins/formcraft/file-upload/server/content/files/160fe007e5a3e5---riwoboxamawotupax.pdfIn PDF document text
- https://sygimportaciones.com/wp-content/plugins/super-forms/uploads/php/files/rf5q066spq3cj3k7cencp68ctd/fowit.pdfIn PDF document text
- https://coachtourbusrental.com/wp-content/plugins/formcraft/file-upload/server/content/files/1610ca9f39e2f2---lenabivovawowewupu.pdfIn PDF document text
- http://fecirturizm.com/resimler/files/sorutelapijezoxan.pdfIn PDF document text
- http://www.lentilles-progressives.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160e299add3623---jaritixoju.pdfIn PDF document text
- http://yomamasushitogo.com/uploads/files/pitasixulefus.pdfIn PDF document text
- https://mk-sito.it/uploads/file/89548733518.pdfIn PDF document text
- http://snotlicker.com/clients/10243/File/rinumu.pdfIn PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f8e8.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF8E8	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_01_sfnt_off000110ff.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x110FF	11456 bytes
SHA-256: `959258945669bcd4320d0e201b43257f8b3864c65a97afac7d39b7df8bf52478`

Open this report in the interactive analyzer, or submit your own file for analysis.