PDF malware analysis — malicious · d0b5410ec44dcb53

MALICIOUS

PDF

66.5 KB Created: 2021-09-25 09:17:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-23

MD5: 3e1dc052b1973aa1881a0ee81a8d08d0 SHA-1: 1c83f0470668cf6ed69262f76514f39da6fdeac0 SHA-256: d0b5410ec44dcb53ce70d3038d092b7ba0d8e454f10eb4f8cb58bc1c1e9773f0

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded URLs, many of which point to compromised or disposable hosting. The 'PDF_SEO_DISPOSABLE_LINK_FARM' and 'PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM' heuristics indicate a pattern of using such sites to host or link to malicious content. The ML classifier and ClamAV detection further support its malicious nature, likely as a phishing or malware distribution lure.

Machine Learning

Nyx PDF Classifier malicious score 0.7474

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://s13cf5ef.alojamientovirtual.com/ropalaboralbarata.com/userfiles/file/30958787118.pdf In PDF document text
- http://lesmashclub.com/imgUpload/files/73311074463.pdfIn PDF document text
- http://palestraarkadia.it/userfiles/files/papewejefekegak.pdfIn PDF document text
- https://alaqart.atelierleuthold.ch/userfiles/files/bunizulaberonokijol.pdfIn PDF document text
- https://www.blackandwhite-salon.com/wp-content/plugins/super-forms/uploads/php/files/tmp/waruruwatugotataz.pdfIn PDF document text
- http://materialdeestudo.top/userfiles/files/17577038296.pdfIn PDF document text
- http://trineckevzdelavani.cz/webpagebuilder/ckfinder/userfiles/files/1567154480.pdfIn PDF document text
- http://hublihorse.com/uploads/userfiles/files/bixeviwo.pdfIn PDF document text
- https://tennis94.fr/img/pics/files/71684668512.pdfIn PDF document text
- http://weilandensemble.nl/ckfinder/userfiles/files/62155300156.pdfIn PDF document text
- http://toszegisuli.hu/userfiles/file/wesedodadobupupusibumisa.pdfIn PDF document text
- https://testpensija.bankai.lv/ckfinder/userfiles/files/56197645403.pdfIn PDF document text
- http://www.waetsukai.jp/system/ckfinder/userfiles/files/bolulomog.pdfIn PDF document text
- http://infinity-pro.ru/userfiles/file/putozibo.pdfIn PDF document text
- https://parlagame.net/calisma2/files/uploads/96153136010.pdfIn PDF document text
- http://churchontherockuk.org/home/churchontherock1/public_html/userfiles/files/61457912381.pdfIn PDF document text
- http://ac-kenigsberg.ru/files/file/seguvusub.pdfIn PDF document text
- http://vilniausgreziniai.lt/userfiles/file/sesenirefinexop.pdfIn PDF document text
- http://aquitaine.annuaire-regional.com/ckfinder/userfiles/files/lexegijoxowejotuxoxumew.pdfIn PDF document text
- http://frutapac.com/ckfinder/userfiles/files/pipetorofawujaw.pdfIn PDF document text
- https://bliznacite.com/files/36478028059.pdfIn PDF document text
- https://mkserwis.pl/userfiles/file/43585155853.pdfIn PDF document text
- http://carrasvilla.es/uploads/files/gebafodedajokebapivixoro.pdfIn PDF document text
- https://amkboiler.com/wp-content/plugins/super-forms/uploads/php/files/svd2g3lfmmi3es1ksgpjtu0neh/37526714324.pdfIn PDF document text
- https://portsidestrategies.com/wp-content/plugins/super-forms/uploads/php/files/0b29205d0c0bca615f88595228f5081d/48775179888.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/cv9VXjIrmdE/uplcv?utm_term=goose+game+ioPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000b345.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB345	1860 bytes
SHA-256: `562d39cc93351683f3420870a5578826c1285db13c691c08f99be18f4980e560`
`font_01_sfnt_off0000bbfc.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBBFC	10144 bytes
SHA-256: `6317dba670e6c22d027cc55757be69cb3752381d3584a2ba3faf6a7bded47dc1`
`font_02_sfnt_off0000d2ad.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD2AD	14484 bytes
SHA-256: `0397a5abbbaa427f119fdc0edea42c15f114f88342e6777e39c2fe1425d9a9d0`
`font_03_sfnt_off0000f71d.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF71D	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`

Open this report in the interactive analyzer, or submit your own file for analysis.