PDF malware analysis — malicious · d623139f47ee74af

MALICIOUS

PDF

95.6 KB Created: 2021-07-31 02:27:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24

MD5: 824f5e60b501055ab6a21d47d3a5d07b SHA-1: d00dd6f1e25b1541fc2f9bf528cec3f5d4898104 SHA-256: d623139f47ee74af9f144530214c94a2786adc3a48f9e60fa3836a42bb98d2df

236 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains a fake CAPTCHA lure, designed to trick users into clicking malicious links. Several heuristics indicate the presence of link farms pointing to compromised WordPress sites and disposable hosting, suggesting a phishing or malware distribution campaign. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 0.9916

Heuristics 8

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK

PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA

Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.shipsupply.co.mz/wp-content/plugins/formcraft/file-upload/server/content/files/160c789c86b802---pudazelorasixowixirekados.pdf In PDF document text
- https://ambulatorioveterinariosismondi.eu/file/36304264660.pdfIn PDF document text
- https://www.ergunaygoren.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c944e31e66---fibuwimupejizomumofo.pdfIn PDF document text
- https://theatresaucinema.fr/uploads/file/74439628889.pdfIn PDF document text
- http://aarogyamedico.com/userfiles/file/23092691612.pdfIn PDF document text
- http://compie.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1607000de92884---pixuramesujuzolumeze.pdfIn PDF document text
- http://xn--80akij1ajew.xn--p1ai/wp-content/plugins/formcraft/file-upload/server/content/files/160b952aee8ab1---93181610385.pdfIn PDF document text
- https://gymlesgeants.com/upload/editor/file/31862646556.pdfIn PDF document text
- http://www.hussco-steel.com/husscofiles/files/95050947026.pdfIn PDF document text
- https://www.teppiche-waschen-hamburg.de/wp-content/plugins/formcraft/file-upload/server/content/files/1608f94c2484c6---xeladawefukokun.pdfIn PDF document text
- http://inistor.com/ufiles/files/25939395129.pdfIn PDF document text
- http://colegiosantarosa.com/uploads/imagem/file/bodekikaxejoxewa.pdfIn PDF document text
- http://anysoldierfundraiser.com/clients/a/af/af293656121fcb8b60a8c910089dd81c/File/84372163890.pdfIn PDF document text
- https://getlovebooks.com/wp-content/plugins/super-forms/uploads/php/files/23bbe4f347358c94f0fe72ee9a6a08d7/24763513982.pdfIn PDF document text
- https://westcoastmovers.ca/wp-content/plugins/super-forms/uploads/php/files/ut9cce6gra5vd4cbg2tderh9i4/baxififedozugina.pdfIn PDF document text
- http://www.infranetltd.com/wp-content/plugins/formcraft/file-upload/server/content/files/16083fa9f91859---gelivapukumamox.pdfIn PDF document text
- http://lab4050.com/upload/editor/file/gugajoderakusika.pdfIn PDF document text
- http://ambulatorioveterinariorigolon.eu/userfiles/files/dored.pdfIn PDF document text
- https://lorenzonimmigrationlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f361c3b054---16108381751.pdfIn PDF document text
- https://stijsr.com/userfiles/file/9127319808.pdfIn PDF document text
- http://vstarmp.cn/upload/files/20210710_142116.pdfIn PDF document text
- https://vizzzio.ru/wp-content/plugins/super-forms/uploads/php/files/6a694be922726d87dd3b7e4891564cbb/fowozasimipe.pdfIn PDF document text
- http://simonide.org/userfiles/file/94442861386.pdfIn PDF document text
- http://rheinmotel.com/userfiles/file/43914617175.pdfIn PDF document text
- http://inewbus.com/wp-content/plugins/super-forms/uploads/php/files/ea2tovd4v1mvjc298afslraks7/bunigavox.pdfIn PDF document text
- https://feedproxy.google.com/~r/skout/mBVl/~3/Om9ozkHLxGw/uplcv?utm_term=swansoft+cnc+simulator+full+crackPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000fb3e.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFB3E	2468 bytes
SHA-256: `708890e793ba712a6328b841df5ad21eac8b0cf0bc93d8063c39945ff0ff3c61`
`font_01_sfnt_off000105f4.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x105F4	10716 bytes
SHA-256: `eb995c7859325f86cdd69d1871bd3810fada04d697982d690972ef65ba6f6cdc`
`font_02_sfnt_off00011ea1.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11EA1	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_03_sfnt_off000136b3.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x136B3	22516 bytes
SHA-256: `39e2595ac932aed76bdabe4d358f32f504b6773d243ce9bca5f260f45c4649ae`

Open this report in the interactive analyzer, or submit your own file for analysis.