PDF malware analysis — malicious · cff8526f0eba3ccc

MALICIOUS

PDF

72.2 KB Created: 2021-07-30 09:12:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 383eac7b6393b50c2c346b0f89558b1e SHA-1: f1637f6f41005365d7302a94173a3c7978b25123 SHA-256: cff8526f0eba3ccc9342da6d1171e359f8e45a62f8f980d86466228173c881b2

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by multiple heuristics and a machine learning classifier as malicious, with ClamAV identifying it as a phishing trojan. It contains numerous links pointing to compromised WordPress sites and disposable hosting, suggesting a link farm designed to redirect users to malicious content. The document body is heavily obfuscated and appears to be generated by wkhtmltopdf, lacking readable content that would indicate a specific lure.

Machine Learning

Nyx PDF Classifier malicious score 0.9982

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://www.lumisolar.pe/wp-content/plugins/formcraft/file-upload/server/content/files/160e1a213baf25---biparoloxeledazet.pdf
- https://www.hotwaterfactory.com.au/wp-content/plugins/super-forms/uploads/php/files/747505d3af9f7f2c9374df1fa9544f43/63212824280.pdf
- https://ovistar-dz.com/ckfinder/userfiles/files/51188227036.pdf
- https://www.tifdip.com/wp-content/plugins/formcraft/file-upload/server/content/files/160dd6a2eb7fa6---86446503842.pdf
- https://mimpiindah88.com/contents//files/3448660327.pdf
- https://www.cocochan.com.pk/wp-content/plugins/super-forms/uploads/php/files/51d98c68a2f8908148dbda9f1a55e462/manilaxosudutowewetuziwo.pdf
- https://securityguardsupply.org/php/uploads/file/13410778034.pdf
- https://happycustomerservice.com/wp-content/plugins/super-forms/uploads/php/files/11ad5ca5ba71a87457eaaa91d173b59f/fogotobigitotoxekikasig.pdf
- http://ekolojikweb.net/upld/userfiles/file/boxulobuwabazube.pdf
- http://hart-metale.pl/gimnazjum/userfiles/file/kekatom.pdf
- http://hk-dcc.com/wp-content/plugins/super-forms/uploads/php/files/rn5u7d61l8ea96ivhu226fh17g/gexupa.pdf
- https://astdubai.co/userfiles/files/38420172707.pdf
- http://soleilboo.com/images/uploads/files/68344747221.pdf
- https://prawobrzeze.info/userfiles/file/pobarujizap.pdf
- https://orldoc.ch/wp-content/plugins/super-forms/uploads/php/files/bfdfics1vrab5r73tv2hvpod06/wokomogazivuza.pdf
- http://ahkjt.com/upfile/file/47161387657.pdf
- https://designcoordinators.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607dfa118d042---88731283317.pdf
- http://serendipityorlando.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ab46e38c75d---fufulut.pdf
- https://ahreco.com/uploads/news_file/nolijiw.pdf
- http://richmediahouse.com/admin/uploads/file/fazetawewi.pdf
- http://controldellaves.com/app/webroot/arxius/file/69845639659.pdf
- https://ajwatravel.com/wheelmarine/userfiles/file/garub.pdf
- https://feedproxy.google.com/~r/Uplcv/~3/GLLx1DTH0VQ/uplcv?utm_term=administracion+de+medicamentos+por+via+nasal+definicion
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000b980.bin` `b5885e2f27dd5fb5cb0c16cedf1871d1a70692a21d66c15032298928a75edbd8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB980	15556 bytes
`font_01_sfnt_off0000dff5.bin` `a24e2ffc12c61c9aed126f783cf28a4149372d21593385c18a91ab2419fac1fd`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDFF5	10828 bytes
`font_02_sfnt_off0000f8f0.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF8F0	16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.