PDF malware analysis — malicious · d7ad89ad4f1d6ea9

MALICIOUS

PDF

79.1 KB Created: 2021-07-10 07:30:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-20

MD5: 2ab9f9e55c2efc65f69416d000240f54 SHA-1: 4f35149d5e0345b8964d39122bc4bcb411fb1487 SHA-256: d7ad89ad4f1d6ea9112e8f3ec13f2de5b73d64800ac7a58d69ace32456c1496c

236 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a PDF document that employs a social-engineering lure, instructing the user to install a browser extension or update to view content. This is a common tactic to trick users into compromising their systems. The document contains numerous links to external URLs, many hosted on compromised WordPress sites, suggesting a distribution mechanism for further malicious payloads or phishing attempts. ClamAV detection and ML classification further support its malicious nature.

Machine Learning

Nyx PDF Classifier malicious score 0.9846

Heuristics 8

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK

PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE

Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://medvor.ru/uplcv?utm_term=r+programming+lecture+notes+pdf PDF link annotation
- https://www.ccps.mx/wp-content/plugins/super-forms/uploads/php/files/ed0cdf237f03d7ed9e5ee7b501ddc9ff/34000607264.pdfIn PDF document text
- https://adasms.fr/userfiles/file/87671568376.pdfIn PDF document text
- http://yangs-ns.com/ckfinder/userfiles/files/20210531124418.pdfIn PDF document text
- http://heilpraxis-pankow.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607353b289a26---63712252840.pdfIn PDF document text
- https://www.enterpriselighting.com/wp-content/plugins/super-forms/uploads/php/files/e41d5e3edfb3d17c4b1f664d0b69155c/84426424565.pdfIn PDF document text
- http://alvasari.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f1dbebbe6c---12922265628.pdfIn PDF document text
- https://drivetripper.com/userfiles2020/files/88816535950.pdfIn PDF document text
- http://www.realisthotel.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072a6b5f1828---22235609380.pdfIn PDF document text
- http://kaufdeinauto.de/wp-content/plugins/formcraft/file-upload/server/content/files/160b9c8814b9c4---dugesabavojenokajowo.pdfIn PDF document text
- http://premium-t.info/files/files/disixejajarivovekowukede.pdfIn PDF document text
- https://123natura.com/stockages/files/modikogupo.pdfIn PDF document text
- http://amwordpress.org/wp-content/plugins/formcraft/file-upload/server/content/files/16072d3b81978c---86458980371.pdfIn PDF document text
- http://chono.mn/uploads/userfiles/files/kopibotafugogixekuzo.pdfIn PDF document text
- http://jirehenl.com/userfiles/file/240447376447.pdfIn PDF document text
- https://bokseinstituttet.dk/wp-content/plugins/formcraft/file-upload/server/content/files/160c4feaeabc2b---tujefolu.pdfIn PDF document text
- http://bagandpack.ru/wp-content/plugins/super-forms/uploads/php/files/c66bb30c99e2bae343c82db370f2d873/ponomejumekananijokivazub.pdfIn PDF document text
- http://www.sunarnuricomuisvealisverismerkezi.com/wp-content/plugins/super-forms/uploads/php/files/bpgshk6g3rimgf8np5cvc6iev0/37037748825.pdfIn PDF document text
- http://internationalnetworksolutions.net/files/bowef.pdfIn PDF document text
- http://niestachow.pl/data/aktualnosci_imgs/file/fefaroxukagiribapuwu.pdfIn PDF document text
- http://195exim.com/datas/files/vadebatesunolobex.pdfIn PDF document text
- http://www.trimbleexpress.sk/wp-content/plugins/formcraft/file-upload/server/content/files/160838480396f4---87606131310.pdfIn PDF document text
- https://buddingheights.org/wp-content/plugins/formcraft/file-upload/server/content/files/160890b1405d6a---wobuporigakudupinubol.pdfIn PDF document text
- http://artmetinc.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bc4218abbd9---64515867600.pdfIn PDF document text
- https://mrmusicfoundation.org/wp-content/plugins/super-forms/uploads/php/files/hc474uvms33vvc3c81bta7hg2b/xulos.pdfIn PDF document text
- https://www.espymetcalf.com/wp-content/plugins/formcraft/file-upload/server/content/files/160da773705702---92811835753.pdfIn PDF document text
- http://kioskcondoweb.wpengine.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e170992028---77101535689.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d141.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD141	11108 bytes
SHA-256: `a8fd12dd1179094f2fb335591b3ae46efb8c8ce71c29db35bb4c98a06cc40e0a`
`font_01_sfnt_off0000eaf2.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEAF2	16460 bytes
SHA-256: `60d509e00803563253a5f71f61c581ff4e1bb41292753f21ba894c30cb40cf1f`
`font_02_sfnt_off00011576.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11576	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`

Open this report in the interactive analyzer, or submit your own file for analysis.