PDF malware analysis — malicious · e3df2811fb138c8d

MALICIOUS

PDF

82.8 KB Created: 2021-07-08 01:30:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-20

MD5: 5c25ddc5f8dbb9f50c5d5d79ad523efe SHA-1: 5ce0ffdfd253f7d6ffbc316663a33c4ebf00ff6c SHA-256: e3df2811fb138c8dfc6bcd894fe1da11f5547aba6705db983bc95a89fdc93a6f

164 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The presence of embedded JavaScript and numerous external URIs, many pointing to compromised CMS uploads or disposable hosting, suggests the document functions as a link farm. This pattern is commonly used to redirect users to phishing sites or download further malicious payloads.

Machine Learning

Nyx PDF Classifier malicious score 0.9833

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://mgocsm.in/userfiles/file/41264796166.pdf In PDF document text
- https://www.tessilgiada.it/wp-content/plugins/formcraft/file-upload/server/content/files/16086d4c31c71e---77435626739.pdfIn PDF document text
- http://www.champcaregivers.com/wp-content/plugins/formcraft/file-upload/server/content/files/16082e404b47e3---goluwonetazoluj.pdfIn PDF document text
- https://stgeorgedentalcare.in/ckfinder/userfiles/files/31793191375.pdfIn PDF document text
- http://jedwines.com/cmsCart//upload/file/27031643927.pdfIn PDF document text
- http://autoshiftbid.com/fckeditor/userfiles/file/davelizemosanuzifudarozon.pdfIn PDF document text
- https://idfusionllc.com/wp-content/plugins/super-forms/uploads/php/files/36a523427f189bb6f3b1f9ea99f62c46/90337430602.pdfIn PDF document text
- https://provisionsinternational.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607aa5fb15382---fakizaxakazu.pdfIn PDF document text
- https://daleplumbinginc.com/wp-content/plugins/super-forms/uploads/php/files/221159e43e90f7d1275812f09cf502e4/14007990698.pdfIn PDF document text
- https://opuntia.eu/wp-content/plugins/super-forms/uploads/php/files/13a165d038767342af7ded99f5879162/wekapol.pdfIn PDF document text
- https://birgatour.mn/js/ckfinder/userfiles/files/26410106915.pdfIn PDF document text
- https://livingcircles.ch/wp-content/plugins/formcraft/file-upload/server/content/files/160863219ec869---7032795223.pdfIn PDF document text
- http://ecbpolska.pl/wp-content/plugins/super-forms/uploads/php/files/6ad902a339343f2924126155d9cc3635/rogujet.pdfIn PDF document text
- http://videoacceso.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606cf3652d135---lolasesonivagibeb.pdfIn PDF document text
- https://www.numberoneporthill.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1606cb567c3efa---riwujoro.pdfIn PDF document text
- https://njsolarpower.com/wp-content/plugins/super-forms/uploads/php/files/71e1f39f99a3c6996ab8ebf8d20d1094/jerifulezu.pdfIn PDF document text
- http://willtorock.com/wp-content/plugins/formcraft/file-upload/server/content/files/160983ccbdc23e---gimutokelewapaduz.pdfIn PDF document text
- https://alignerco.com/wp-content/plugins/super-forms/uploads/php/files/450dc4963079258ae19e47dbf39bc065/57056565085.pdfIn PDF document text
- http://hopkins1983.com/clients/861771/File/83561117088.pdfIn PDF document text
- http://uctodane.cz/UserFiles/File/zizat.pdfIn PDF document text
- http://scissortailfarms.com/wp-content/plugins/formcraft/file-upload/server/content/files/16088daa71aba6---fuzosinokujibolorovikagu.pdfIn PDF document text
- http://dobraukraina.org/sites/all/sites/dobraukraina.org/files/kebulukonunadiwevumana.pdfIn PDF document text
- http://grodgolf.com/clients/f/fd/fd83fa7079552abb47853a85229f74c1/File/42227900407.pdfIn PDF document text
- https://aprilboya.com/userfiles/file/64051971186.pdfIn PDF document text
- https://cardion.dk/gfx/fckimages/file/37172275093.pdfIn PDF document text
- http://aberdeeneyes.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1607c823dda2f0---nuvedasivep.pdfIn PDF document text
- https://www.charityweiss.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607cb00ed8796---bitolugiverepa.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/3CAf4wW3hvY/uplcv?utm_term=where+clause+in+group+byPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e1de.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE1DE	16560 bytes
SHA-256: `09975306a2f7b4187c749a0007ad5278162ef666cf123d5493f87663ea8ad4b6`
`font_01_sfnt_off00010cc2.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10CC2	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_02_sfnt_off000124d9.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x124D9	10904 bytes
SHA-256: `68741f73c62308d0c84fa780589b62d2547489c7999cea639aff55e8bb46d207`

Open this report in the interactive analyzer, or submit your own file for analysis.