PDF malware analysis — malicious · e363d8b8479ab015

MALICIOUS

PDF

402.2 KB Created: 2021-06-25 21:20:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 439d03750fd2faf1a310d06880089223 SHA-1: 149fb4cfdd5c13e3c7ac2bb3f00d37806f856baf SHA-256: e363d8b8479ab015cf49b184959eec69a2e91240e09788edbb0ff41d73a65b0c

134 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript, which is often used to redirect users to malicious sites. Several heuristics indicate the presence of a link farm pointing to compromised WordPress upload storage, suggesting an attempt to host malicious content or phishing pages. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports a malicious intent, likely involving phishing or malware delivery.

Machine Learning

Nyx PDF Classifier malicious score 0.8494

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.siscard.com/wp-content/plugins/formcraft/file-upload/server/content/files/160cf3659b0080---15635862235.pdf
- https://partnyor.az/userfiles/file/5935047959.pdf
- http://richmore.kr/uploadfile/fckeditor/file/10657268303.pdf
- https://advicezone.org.uk/wp-content/plugins/super-forms/uploads/php/files/ln5j1uvdgdml6co7pjfasgkg7s/razuxo.pdf
- https://www.c2commercial.com/wp-content/plugins/super-forms/uploads/php/files/e9a7e19aa085995925422f4d74a7632b/84020569692.pdf
- https://hyundaia.ru/userfiles/file/mefak.pdf
- https://ssvacancy.com/ckfinder/userfiles/files/53475360744.pdf
- http://www.alexgis.com/siteuploads/editorimg/file/rudijetupemepexoxigajo.pdf
- https://digidatadecolombia.com/wp-content/plugins/super-forms/uploads/php/files/e74fc711b8736196b4c24b0f079774fd/selumipoveranagotamap.pdf
- https://olgapopovaphoto.com/wp-content/plugins/super-forms/uploads/php/files/c2d864663d70ea6d51aabf79c1327e50/31950327683.pdf
- https://donnasalon.ru/wp-content/plugins/super-forms/uploads/php/files/b9bf8baaed7479360e0f815a447e2b98/neruwiruwiketupevuvabapaj.pdf
- http://discarga.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f540bc16bf---51855721667.pdf
- http://ahcxdq.com/uploads/file/292034432708.pdf
- http://projectbudapest.hu/wp-content/plugins/formcraft/file-upload/server/content/files/16076248e889ca---26265986395.pdf
- https://gradeagroup.com/wp-content/plugins/super-forms/uploads/php/files/2ggllcjs8k798nltsb0oiekcce/jimemapap.pdf
- http://gallery4walls.com/upload/editer/file/51562958682.pdf
- http://xn--80aafkqcanfpgnhbng3b5i9a.xn--p1ai/pict/file/32347396114.pdf
- http://al-bandak.com/userfiles/file/kemetuku.pdf
- http://prodesign31.ru/wp-content/plugins/formcraft/file-upload/server/content/files/16092099bbb38e---nifabemopudos.pdf
- https://travelselection.us/wp-content/plugins/formcraft/file-upload/server/content/files/16083b2b132ebd---79022806415.pdf
- http://sarahscupcakery.com/wp-content/plugins/formcraft/file-upload/server/content/files/16086199858e7c---39451999586.pdf
- https://specialbrands.gr/wp-content/plugins/super-forms/uploads/php/files/5a827b583142b81dd436414e35da08cb/degovujowexajesebarosux.pdf
- http://www.deadclan.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16085cbd9470f0---januzex.pdf
- http://wakingbeauty.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607ae1691fe8f---fakixebaxodutubono.pdf
- https://feedproxy.google.com/~r/skout/mBVl/~3/1KS0DP0cxss/uplcv?utm_term=if+tomorrow+comes
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0005d938.bin` `c740f99492d1c5706d2dda10a7e8fb9396f535b3364f4a6eb92acefde5ca5020`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5D938	20136 bytes
`font_01_sfnt_off00060999.bin` `5d7fb122acdf090d89e87928eddba393061c010edbef591d9048d598b0d42e15`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x60999	10132 bytes
`font_02_sfnt_off0006205b.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6205B	16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.