PDF malware analysis — malicious · d8475a61a6975fac

MALICIOUS

PDF

233.6 KB Created: 2021-07-19 22:56:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: e82ba016cbebd00732f26fe4662b1ed6 SHA-1: e3bd5c394bd40acc4ebd01f6176ee5d65a78ba6c SHA-256: d8475a61a6975facb1544a270928a285ef4ccfca64b95e40c9af952205590108

146 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The sample was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. The presence of numerous links pointing to compromised WordPress upload directories strongly suggests a phishing attempt to distribute further malicious content. No scripts were extracted, but the PDF structure and link farm indicate a malicious intent to trick users into downloading further payloads.

Machine Learning

Nyx PDF Classifier malicious score 0.9800

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
QR-code redirect lure medium SE_QR_LURE

Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://www.prestigeautobody.com.au/wp-content/plugins/super-forms/uploads/php/files/258774ede57959e3a6f769372ae60cc4/pakopijel.pdf
- https://perleyparish.org/wp-content/plugins/super-forms/uploads/php/files/8df30d4891aa1c86c1a8c7fca1431490/mofodenufivodosuxid.pdf
- https://argekaucuk.com/nbg/upload/files/96742365383.pdf
- http://www.hkqi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c3da2ea2b28---13209079109.pdf
- http://aiskreunion.com/clients/b/b4/b417c2091670ce0b0d78f4b231aea02c/File/7824765238.pdf
- http://retailcop.ca/files/75829747465.pdf
- http://ljhalls.com/wp-content/plugins/super-forms/uploads/php/files/b8b103436e001e97a09373d92a9b4fdf/18730875372.pdf
- http://www.viksexteriors.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bc40027f2c9---zewifora.pdf
- http://claudiodauelsberg.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160bd188ca01c2---73705360083.pdf
- http://kimyasaldubeller.com/upload/ckfinder/files/ruwafigubax.pdf
- https://www.nobleorthodontic.com/wp-content/plugins/super-forms/uploads/php/files/341d056e47ae3508ba5b0e2497e3de78/mojaz.pdf
- https://habibitours.com/ckfinder/userfiles/files/39210486084.pdf
- http://botanicgardenscafe.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160c10cad79856---nawuwutupafozebi.pdf
- https://absoluteanytime.com/media_file/files/files/76669735865.pdf
- http://spiregene.com/image/files/20210703_161357.pdf
- https://hankilfood.com/upfile/files/85420960771.pdf
- https://apexforestservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b3b138d642---52115684851.pdf
- http://pmdrecycling.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b2a45a44493---48789958190.pdf
- http://arci-mp.fr/admin/File/68261855421.pdf
- http://palletgoanloi.com/img-dn/files/2603618835.pdf
- https://lamaisonducoeur.ca/upload/editor/file/65974464579.pdf
- https://rmdschoolandcollege.com/wp-content/plugins/super-forms/uploads/php/files/he9l8198d57ptcvke4g9esqbt2/57306069881.pdf
- http://www.monts.sk/upload_images/file/47523629343.pdf
- https://feedproxy.google.com/~r/Uplcv/~3/fzgW7-mxBc0/uplcv?utm_term=answer+for+english+textbook+form+1
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00031e2e.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x31E2E	16792 bytes
`font_01_sfnt_off00033640.bin` `6c00b691ccb01fd85282e91e7e9f2c35254f7a8049d03020b8c37101b62a3a4e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x33640	18876 bytes
`font_02_sfnt_off0003680b.bin` `a41791f91566cd53f16d491d7a86949323a787700ce5833a7be522c92b2cc836`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3680B	10952 bytes
`font_03_sfnt_off0003815a.bin` `fdc3f250e16d4eeaac0151c08e1678493ac6cc67090af3137bc700c4cd553891`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3815A	16348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.