PDF malware analysis — malicious · d047c6ecac9be2f5

MALICIOUS

PDF

74.3 KB Created: 2021-09-20 11:50:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 5c99ebcef1b23cee39fc2c9cb041bb65 SHA-1: 21924193ff7cd91fd22b134784ff5f545ee75152 SHA-256: d047c6ecac9be2f50220e8620a12716ee5e549db42505b1ae9f81e8ad47f6288

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The PDF contains numerous links, many of which point to compromised websites or disposable hosting, suggesting a phishing or redirection scheme. The presence of a link farm on compromised CMS upload storage further supports this assessment.

Machine Learning

Nyx PDF Classifier malicious score 0.9953

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://nbc.com.vn/ckfinder/userfiles/files/soloze.pdf
- http://velocimapper.com/webfiles/file/31329927524.pdf
- https://eclipsetheaters.com/wp-content/plugins/formcraft/file-upload/server/content/files/1614776a9b2803---vewigetusax.pdf
- http://banglenhospital.com/UserFiles/File/21925926910.pdf
- http://fotofolliasanlazzaro.it/userfiles/files/66333422673.pdf
- http://mijneigenlift.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16147e8b310165---xewuxesebuzonopo.pdf
- http://vertex-decor.com/userfiles/file/rurifixuzuwewemu.pdf
- http://sigmabhp.pl/userfiles/file/13005207741.pdf
- http://serting.eu/userfiles/files/xirarojufepanusotapul.pdf
- http://leap-egypt.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613dcc323265e---20908447177.pdf
- https://ichapps.peaceofworld.com/ichapps/ckeditor-ckfinder-integration/uploads/files/37300462838.pdf
- https://netwindowvn.com/uploads/userfiles/file/jibimubuxumedu.pdf
- http://cecev.com/stockages/files/88742310365.pdf
- https://www.zaantraining.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1613f133e35ef4---9846087361.pdf
- https://gz-topstar.com/wp-content/plugins/super-forms/uploads/php/files/b24eed42b006fd4ecb184af310d3b09c/rogoti.pdf
- http://camonetinternational.com/files/file/73763623180.pdf
- http://bellina.pl/userfiles/file/gajile.pdf
- http://sameiroeventos.pt/ficheiros/sategebolelulu.pdf
- https://festivalecolo.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1613ba05d41a0e---gezedogata.pdf
- http://matonaklawfirm.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/9668591688.pdf
- https://euinsuti.uniluxgym.ro/app/webroot/files/userfiles/files/gusuwizobavojubudu.pdf
- http://marisqueandopremios.com/campannas/file/rapefibeputogamiremadij.pdf
- https://snabavto.com/wp-content/plugins/formcraft/file-upload/server/content/files/161359f6305f9a---nibabejizel.pdf
- https://feedproxy.google.com/~r/Uplcv/~3/YTWXjIUwRh0/uplcv?utm_term=cool+math+games+temple+run
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c0a8.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC0A8	16792 bytes
`font_01_sfnt_off0000d8ba.bin` `a3558785e9245f3c36f48827d84e44803772c2ab993f251ddeadec009a1370d0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD8BA	16572 bytes
`font_02_sfnt_off00010365.bin` `447540f4674f56a17c61050d18824922ab332bd2f807771f7210f3b7a0ce6aa0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10365	10740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.