PDF malware analysis — malicious · cd467b093086e44a

MALICIOUS

PDF

195.0 KB Created: 2021-06-14 23:36:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 37b2c906226540848a0c5c98303c752f SHA-1: b4a3833295e67f3e352086b68a5e5cc45c6e4371 SHA-256: cd467b093086e44ad521e22fb053836217b63989f7327a7b4e8ee2b9b39e299d

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains numerous embedded URLs, many pointing to compromised WordPress sites, suggesting it functions as a link farm to distribute malicious content. The ML classifier strongly indicates maliciousness, and the presence of external URIs further supports a phishing or malware distribution attempt. No scripts were extracted from this sample.

Machine Learning

Nyx PDF Classifier malicious score 0.9992

Heuristics 5

PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://allytemp.ru/uplcv?utm_term=cat%2527s+cradle+kurt+vonnegut+pdf
- http://blackshirts1962.com/clients/f/f2/f245580d3072b78cda2271cf7a7e3f61/File/fupuna.pdf
- https://hoovermaids.com/wp-content/plugins/super-forms/uploads/php/files/d453e0af358e71dde85f133bba985f01/meviserulop.pdf
- http://nuyewrecruitment.com/wp-content/plugins/super-forms/uploads/php/files/83adcb185f8702a2294675cf2846cae2/kenojir.pdf
- http://recamonde.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1608aac0a1671b---wopixis.pdf
- https://deedpoll.sg/wp-content/plugins/super-forms/uploads/php/files/9e5ba0b345b1498e496b97c25d60e24b/tadinalobowodomixatugesos.pdf
- https://graffitipaintstudio.com/wp-content/plugins/super-forms/uploads/php/files/9ad39f39ecdf5fcb93b9e84230b30cb3/giripunanofexuvu.pdf
- https://www.diktu.com/wp-content/plugins/formcraft/file-upload/server/content/files/16075d6eb50833---64048730851.pdf
- http://ssteelelaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/tikokirozesegon.pdf
- https://susta.vn/userfiles/file/miviwufapoxef.pdf
- http://www.kmclogistics.com/wp-content/plugins/super-forms/uploads/php/files/c55c09bcb384c16a56443b56259e04c5/8556358417.pdf
- https://coil.hk/upload/files/rifezifurinirezukadifab.pdf
- http://bamt.be/wp-content/plugins/formcraft/file-upload/server/content/files/160984488d97c1---jepibikopinu.pdf
- http://getawaynewzealand.co.nz/wp-content/plugins/formcraft/file-upload/server/content/files/160ac77caa1d92---38477195206.pdf
- https://www.sevgiliyevideo.net/wp-content/plugins/formcraft/file-upload/server/content/files/1608cb7596234b---xabigulojofizero.pdf
- https://tuabogadoangel.com/wp-content/plugins/super-forms/uploads/php/files/473c828c72c80d7aa48dc3d025a290f3/babesejorejafuwom.pdf
- https://kassa-evotor.ru/wp-content/plugins/super-forms/uploads/php/files/6r2evggrq5ppjgpnk6t641j6ts/4161697061.pdf
- https://mebelihome.ru/upload_picture/mudoxa.pdf
- http://www.aadhar-interior.com/userfiles/file/51550265890.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.daltonmaag.com/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0002b6b8.bin` `0242f9b864ea545b5c2f4c358d77639b8c43f7c9d1df0a0c8b6220133d200c41`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2B6B8	5340 bytes
`font_01_sfnt_off0002c901.bin` `d7501e368205473c7b533227047878794959589239a37e1d6ded0510c27a536a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2C901	10880 bytes
`font_02_sfnt_off0002edfa.bin` `cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2EDFA	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.