PDF malware analysis — malicious · e6a805eda8a756ab

MALICIOUS

PDF

137.9 KB Created: 2021-09-07 05:08:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27

MD5: 0d12ed5fb1fb416387ab9182f6fe6ec6 SHA-1: 054e91bf499ed9c54e1a70ae74c5886627f5c474 SHA-256: e6a805eda8a756ab2e035caa7f560b43a61a9721618b5067c82926e0d88ab413

176 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF document was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing or trojan. The document contains a link farm pointing to compromised CMS uploads and disposable hosting, suggesting an attempt to distribute malicious content. The 'SE_CALLBACK_LURE' heuristic indicates the document likely prompts the user to call a phone number for a fake issue, a common tactic in tech-support scams and callback phishing.

Machine Learning

Nyx PDF Classifier malicious score 0.9761

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://fmpride.com/wp-content/plugins/super-forms/uploads/php/files/071ec8dc6065e0e4597b28ac4fcd0304/dejokesekubalisetesinewox.pdf In PDF document text
- https://areshin.ru/wp-content/plugins/super-forms/uploads/php/files/d863f1c9d61ed0f919a8d6fd915e04ab/bunakizamunerukezifiro.pdfIn PDF document text
- https://vinasimex.com/uploads/file/dozobibaxug.pdfIn PDF document text
- http://www.mediacomriccione.it/wp-content/plugins/formcraft/file-upload/server/content/files/160902c6f1bad2---36156486133.pdfIn PDF document text
- http://josephlillianmorrisfamily.com/clients/59960/File/ferixudo.pdfIn PDF document text
- http://www.vivelamusica.es/wp-content/plugins/formcraft/file-upload/server/content/files/1608888732cea7---puziwufon.pdfIn PDF document text
- https://cafesca.mx/ckfinder/userfiles/files/xugalupuk.pdfIn PDF document text
- http://www.blueoak.fr/image/file/84271092307.pdfIn PDF document text
- https://www.thecandystoresudbury.com/wp-content/plugins/super-forms/uploads/php/files/a8i900sl3dkoflfi95hck951lk/21222010164.pdfIn PDF document text
- http://agataklimowska.pl/userfiles/file/dazuxu.pdfIn PDF document text
- http://a-mega.ua/images/uploads/file/jajoteduwuforulus.pdfIn PDF document text
- https://wacee.net/wp-content/plugins/formcraft/file-upload/server/content/files/160ecace12f575---relusumijuno.pdfIn PDF document text
- https://thewaves.net/wp-content/plugins/super-forms/uploads/php/files/9ecckvba8l9r3ij7f5jq7bc2tt/24866182651.pdfIn PDF document text
- http://jx4d.com/userfiles/file/rugarexefiwigipezi.pdfIn PDF document text
- http://dvg.asia/ckfinder/uploadfiles/files/93959958185.pdfIn PDF document text
- https://www.chartsunlimited.com.ph/wp-content/plugins/formcraft/file-upload/server/content/files/16086c7009ea68---bazepadog.pdfIn PDF document text
- http://syntra.pl/userfiles/file/xoturonofufubebu.pdfIn PDF document text
- http://www.sparkprototypes.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607685e814c65---81840226103.pdfIn PDF document text
- http://workcoop.org/fckeditor/userimages/file/20210604162718.pdfIn PDF document text
- https://lexcochoralsoc.org/demo/lccs/beta/userfiles/files/90252723459.pdfIn PDF document text
- https://nationalcardsolutions.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a4ed346681a---10285689730.pdfIn PDF document text
- https://bakotech.at/uploads/ckeditor/files/gozawuwiworutajawive.pdfIn PDF document text
- https://pmcp-avac.com/files/upload-ckfinder/files/gasanigeluluxipusile.pdfIn PDF document text
- https://akarchlight.com/wp-content/plugins/super-forms/uploads/php/files/7e51de35be775982d3948a2e2d4c7415/tuzomebapi.pdfIn PDF document text
- http://www.jimenez-casquet.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bd2411cb583---jipapakeguduxepil.pdfIn PDF document text
- https://harpethvalleypto.org/wp-content/plugins/super-forms/uploads/php/files/4fc19a2092416c10b19f0f1b349069e3/dakepevit.pdfIn PDF document text
- https://feedproxy.google.com/~r/skout/mBVl/~3/YTWXjIUwRh0/uplcv?utm_term=volcans+cours+pdfPDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0001aaea.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1AAEA	10360 bytes
SHA-256: `f8968d7c8fc937bc096861cf4fa578502aa36109121262b7f5d183ec7192de12`
`font_01_sfnt_off0001c26e.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1C26E	24832 bytes
SHA-256: `78335df9821b0fee66c882811b29dc0515152d2114eb9eca1a28a7da513f146a`
`font_02_sfnt_off00020052.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x20052	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`

Open this report in the interactive analyzer, or submit your own file for analysis.