PDF malware analysis — malicious · e540e7028bfac5ae

MALICIOUS

PDF

76.3 KB Created: 2021-06-09 23:25:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: dd1913012c3778f120c9dd36fb3ec742 SHA-1: 6401bb700f0036563707b507b612a51607bdf4fd SHA-256: e540e7028bfac5ae715bd1d2fc45c4abfd96a6ad43ef7e05bd29bebfb8922861

196 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF document was flagged by multiple heuristics, including a high-confidence ML classifier and ClamAV, indicating malicious content. The 'SE_CLICKFIX' heuristic suggests the document employs social engineering to trick the user into running a command, likely to download and execute a second-stage payload. The embedded URLs and link farms further support a phishing or malicious redirection scheme.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
ClickFix social engineering attack high SE_CLICKFIX

Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://medvor.ru/uplcv?utm_term=can+you+find+deleted+history+on+chrome
- https://levin-dent.ru/wp-content/plugins/super-forms/uploads/php/files/32cbae70f92d71e8597135a578263633/35749208752.pdf
- http://kulturazebrak.cz/userfiles/36810010470.pdf
- https://monacollection.ua/wp-content/plugins/super-forms/uploads/php/files/4c9e6e596331dff29fac9d2e3e4db33b/95004982767.pdf
- http://pivotal-technologies.com/userfiles/file/tumatodagaralo.pdf
- http://panhongbo.com/ckfinder/userfiles/site_eachfun_com/files/15290281520.pdf
- http://jp-cable.com/d/files/gakebeliso.pdf
- https://www.dyna-tech.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160a861561cf47---fuvokesixibinenozel.pdf
- https://genesisbehaviorcenter.com/wp-content/plugins/super-forms/uploads/php/files/c46ce60940c37d9e000ffa86a12c0e4f/91970466152.pdf
- http://peggylittlelawoffice.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/70739754670.pdf
- http://amsasecretariat.fr/userfiles/file/bumixozizo.pdf
- https://oklogistic.lv/upload/file/tukinuvokefulilogumigikif.pdf
- https://uleiuri.ro/userfiles/file/faravaxexowumixekezivafo.pdf
- http://autodilykanka.cz/cmsimple/images/file/bedigodufexavar.pdf
- https://asiaviews.org/wp-content/plugins/super-forms/uploads/php/files/t4gsfqjhfr6fhj02eq29ng5ft1/28417842865.pdf
- https://www.mnspineandsport.com/wp-content/plugins/super-forms/uploads/php/files/c9c0191fccd168cc31654d8f1dd1ea59/94912204628.pdf
- http://www.rkcomdesignservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608bfdfee53f3---81577600618.pdf
- http://resetimpianti.it/reset/public/file/buzojasip.pdf
- https://www.femregenx.co.za/wp-content/plugins/super-forms/uploads/php/files/cti7qi0e1ids5rrerk4oe0b2va/nefuxitaxab.pdf
- https://www.kadeavenue.com/wp-content/plugins/super-forms/uploads/php/files/99f97a46b803f7f36a341df3fb1b54d2/85175888947.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000eecd.bin` `c0baf256f81ae0158d63581274155f114446e438db540d4a76ff7eae22cf81f7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEECD	5268 bytes
`font_01_sfnt_off00010095.bin` `c3e2a58c6987470d4d421cdfd3bd68b7bd2950ab7784c135761d1b596ad07b30`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10095	10724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.