PDF malware analysis — malicious · f0d37272e4341161

MALICIOUS

PDF

90.4 KB Created: 2021-06-30 20:53:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: d19df27c51a3c72cc9a0f166031f6718 SHA-1: 5b4572dd063fc1eddbeeaf3187b97f4b0d57f01e SHA-256: f0d37272e434116199a31939a7e879ee5c6e744b28fa71aa4d10aa8ec58ce598

124 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected by ClamAV as a phishing trojan. Static analysis revealed it functions as a link farm, containing numerous URLs pointing to compromised WordPress upload directories and other disposable hosting. These links likely lead to phishing pages or further malware downloads, indicating a malicious intent to lure users to malicious sites.

Machine Learning

Nyx PDF Classifier clean score 0.0151

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://lightspec.com/wp-content/plugins/super-forms/uploads/php/files/a3cdaf61539a582cdd009f0d71f33e43/78658382195.pdf
- http://eszixv.hu/ckfinder/userfiles/files/fumevumurokososideluv.pdf
- https://ecef-groupe.com/wp-content/plugins/super-forms/uploads/php/files/a64pvkfcadbt1bd1o31ns7e7e6/18384685778.pdf
- https://dispomydeal.com/wp-content/plugins/super-forms/uploads/php/files/cbbc0b499d92e316692be5d313e3f6bb/vesifu.pdf
- http://lawcab.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160da2d0184557---tebosofojalafupage.pdf
- http://baanpowertrain.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bca5b5552be---12406522637.pdf
- https://xo-sound.ru/userfiles/file/venigejasuzulilibejuvur.pdf
- http://baharemadinah.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609e13e9e1764---nufageletewukule.pdf
- http://iideree.org/wp-content/plugins/formcraft/file-upload/server/content/files/1609acc126ac87---zavefaduzad.pdf
- https://creationstationdance.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607825232c3db---1623333848.pdf
- http://hrzservices.com/uploadfiles/file/69805446632.pdf
- https://www.straightmyteeth.eu/wp-content/plugins/super-forms/uploads/php/files/d3fd54f6390cfc6f61df6765c2a1ee08/sofefupomuv.pdf
- https://veritiesinstitute.com/wp-content/plugins/super-forms/uploads/php/files/21b5b367a02a4316013e84e5dd430ab2/suraw.pdf
- https://www.acetechnology.co.in/wp-content/plugins/super-forms/uploads/php/files/uvbb9nm7s08ldik3d9j2ia44t1/foviweziwonuvomiteve.pdf
- https://tenfci.org/userfiles/file/13167017489.pdf
- https://militarynetwork.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1606cb3e7d48e6---tesukonekuxaw.pdf
- https://wlao.on.ca/wp-content/plugins/super-forms/uploads/php/files/05f0ae23b21bc8b861271af003cae3c8/66812216448.pdf
- http://accessprecision.com/userfiles/file/tuzip.pdf
- http://sinara.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/160bfae2db93af---fetixuso.pdf
- http://auchli-appenzeller.ch/userfiles/files/wizide.pdf
- https://www.ikedatosou.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f06bb28e06---46265681490.pdf
- http://ziepniekkalns.lv/wp-content/plugins/formcraft/file-upload/server/content/files/160d504ed467b1---winebojupomilovipisuz.pdf
- https://limpjet.com.br/wp-content/plugins/super-forms/uploads/php/files/281c6c47603270adb13423c1ef21216f/zenekagejak.pdf
- http://czpohledavky.cz/userfiles/files/50175009616.pdf
- https://feedproxy.google.com/~r/Uplcv/~3/Om9ozkHLxGw/uplcv?utm_term=out+in+the+corner+watching+you+kiss+her+lyrics
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ee80.bin` `c7374f12cfe29de80d628d8fd48805416247d40d71ed25ebfff5fe793445c9ed`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEE80	17916 bytes
`font_01_sfnt_off00011da7.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11DA7	16792 bytes
`font_02_sfnt_off000135b8.bin` `27fa49ca30b1f57c6e4f8b99ad1f73ead7010ce1f191e20d716503af09158f46`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x135B8	16160 bytes
`font_03_sfnt_off00014b32.bin` `ae6761c4cbca3d31d5246eddda14bc9f8c4405b70e30565f53450b969c9c820b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x14B32	10924 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.