PDF malware analysis — malicious · dd7e389cb7a899ce

MALICIOUS

PDF

74.7 KB Created: 2021-09-23 02:18:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: e8401aa296d7307e989b8da2d21d895b SHA-1: 0b5ff75a0f806c86bd0ca6eb85a35370362d003e SHA-256: dd7e389cb7a899ce54497f959b60e879c7f3073569caee87cc9d0becaf561901

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF file was flagged as malicious by an ML classifier and ClamAV, indicating a high likelihood of malicious intent. Heuristics reveal it functions as a link farm, directing users to various compromised websites and disposable hosting, often using UTM parameters to disguise the true destination. The presence of multiple external URIs and the PDF_SEO_DISPOSABLE_LINK_FARM heuristic strongly suggest a phishing or malware distribution campaign.

Machine Learning

Nyx PDF Classifier malicious score 0.9973

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://crysiq.ru/uplcv?utm_term=minecraft+pocket+edition+free+download+iphone
- https://tapetcenter.ro/app/webroot/files/userfiles/files/xowotavisokunodabiwal.pdf
- https://aromamarketing.md/img/files/jotikalex.pdf
- http://aqcorth.specialty-match.com/upload/files/52255574234.pdf
- https://sindhuinvestment.com/ckfinder/userfiles/files/fugerixatixisubagufopemus.pdf
- https://ofly.om-digitalsolutions.cn/upload/files/mifopudoz.pdf
- http://taikenplan.jp/ckfinder/userfiles/files/tirek.pdf
- https://www.darrellstuckey.com/wp-content/plugins/formcraft/file-upload/server/content/files/1614289ede8f2d---67646021226.pdf
- https://jeevandeepspecialcare.com/ckeditor/ckfinder/userfiles/files/98140922025.pdf
- http://geonatlife.es/ckfinder/userfiles/files/15372050875.pdf
- https://penmypoem.com/new/admin/uploadfiles/file/64313741303.pdf
- http://flapboxes.com/userfiles/files/35676215132.pdf
- https://prtl.pl/userfiles/file/poxerawuvofapi.pdf
- https://caribemed.com/userfiles/file/voloxebigutaxalejojiz.pdf
- http://yenidenyuzlendirme.com/ckfinder/userfiles/files/fenomapaxapejuse.pdf
- http://tacchigroup.com/public/thread/risorse/file/soxejajolafefit.pdf
- https://atlasautoglass.com/wp-content/plugins/formcraft/file-upload/server/content/files/16134ae6d90f6d---fakewusikafawulu.pdf
- http://konditsionery-zheleznodorozhnyi.ru/upload_picture/file/livase.pdf
- https://valve-toho.com/userfiles/file/samewagurowewe.pdf
- http://statsale.com/data/upload/ck/files/21365388795.pdf
- https://www.jdconstinc.com/ckfinder/userfiles/files/47205331194.pdf
- https://atasuorganiktarim.com/upload/ckfinder/files/galotoberogutavukujeda.pdf
- https://campermagazine.tv/public/file/xogozaminoz.pdf
- https://ximatinhdongnai.com/app/webroot/files/images/pages/files/14768473815.pdf
- https://www.brunosistemi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613f7b2f73ef6---sobekizoxevimuxofad.pdf
- https://thuanxuongmonmb.com/admin/webroot/upload/image/files/lobevadur.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000bf5a.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBF5A	16792 bytes
`font_01_sfnt_off0000d771.bin` `2a2e242f44570586a8a724756f342724f6e3acd946e9d38451a2e6299ef3daa3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD771	10720 bytes
`font_02_sfnt_off0000f009.bin` `bedded9b28819c3bf443a46ae25afa4f998a09fd3a2af5294b65c24d72ac183e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF009	17380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.