PDF malware analysis — malicious · d5a4bc09fda62167

MALICIOUS

PDF

84.8 KB Created: 2021-09-20 03:07:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 9bd6492fbc0c17896820ab2d1acf87b0 SHA-1: 4ebc9119b210fab87606d36cb983826d2d3cc9c2 SHA-256: d5a4bc09fda62167c9057af5ce4b8989070a0ac1167d2fd91fb92e0a9cec2fa6

164 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF file contains embedded JavaScript and a large number of external URIs, many of which point to compromised WordPress sites. The heuristic 'PDF_SEO_DISPOSABLE_LINK_FARM' indicates the document is a link farm on disposable hosting, suggesting a phishing or SEO poisoning attempt. The embedded JavaScript is likely used to facilitate redirection or further malicious activity, aligning with the 'ML_NYX_PDF_MALICIOUS' and 'CLAMAV_DETECTION' findings.

Machine Learning

Nyx PDF Classifier malicious score 0.9956

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.melodypods.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613834a831087---28668670385.pdf
- http://hwayoung.kr/upfile/files/29027000472.pdf
- http://rhondadejean.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/79398746721.pdf
- https://somogyplusz.hu/files/raxadovenemesujowowovunex.pdf
- http://theydeserveastamp.org/wp-content/plugins/formcraft/file-upload/server/content/files/16132047da430d---22892285330.pdf
- http://yameitecl.com/ckfinder/userfiles/files/20210911_194906.pdf
- http://xingzhongjing.com/userfiles/file/20210911213632_1788033621.pdf
- https://bakotech.at/uploads/ckeditor/files/69102512132.pdf
- https://wcdt.co.th/wp-content/plugins/super-forms/uploads/php/files/sd43v6klnncj9ijjpta0fec5dm/86648134018.pdf
- https://f1com.ge/wp-content/plugins/super-forms/uploads/php/files/0c4347fa5efad898e5150f166d89203b/sexelaper.pdf
- https://designmaster.in/scgtest/eec-new/codelibrary/ckeditor/ckfinder/userfiles/files/14811979459.pdf
- https://keiba-like.biz/js/ckfinder/userfiles/files/tolidotirozositorulibax.pdf
- https://www.assofmt.org/ckfinder/userfiles/files/77593273009.pdf
- https://instalacje-elektryczne.net/ckfinder/userfiles/files/lozopem.pdf
- http://xn--80aafmoni2biho.xn--p1ai/admin/ckfinder/userfiles/files/93082582792.pdf
- http://fullx.net/files/famolijonojilale.pdf
- http://www.og2c.com/images/file/manefebuzaduvudolozedi.pdf
- https://insolite.lu/img/userfiles/files/gakawadisobixuzowekow.pdf
- http://www.findvoters.com/userfiles/file/92735520540.pdf
- https://rockeit.com/userfiles/file/sasexe.pdf
- https://ecowaytechnologies.com/ckfinder/userfiles/files/jibevudipapaxawiwibopa.pdf
- http://bantinnhadat.com/users/files/tenerirudekikabam.pdf
- https://www.acptechnologies.com/wp-content/plugins/formcraft/file-upload/server/content/files/161303f3cde083---bidimowibox.pdf
- https://feedproxy.google.com/~r/skout/mBVl/~3/GLLx1DTH0VQ/uplcv?utm_term=mobile+legend+bang+bang+515
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e174.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE174	16792 bytes
`font_01_sfnt_off0000f986.bin` `0feafd852ffd6ac273c72cf86c6afd8a958b42606417d5b1ad6a9de45f476732`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF986	20080 bytes
`font_02_sfnt_off00012ecc.bin` `2d795865540e50705fc038f3dff71c754bf25f914f535cc845a983f815104ec7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12ECC	10376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.