PDF malware analysis — malicious · f32b96b5a5cf8e21

MALICIOUS

PDF

88.7 KB Created: 2021-09-07 02:21:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26

MD5: b20f7e658a9dfdbcbdaf7562f1cf20b8 SHA-1: bf6ae87d8cfc6e6e8083ccc5f5308ddcce362c24 SHA-256: f32b96b5a5cf8e212868f0477f9e2aee294d7fb16625df801f4f6fe771e8820d

124 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF file contains numerous external links, many of which point to compromised WordPress sites and disposable hosting. This behavior is indicative of a link farm designed to redirect users to potentially malicious content or phishing sites. The ClamAV detection further supports its malicious nature, classifying it as a phishing trojan.

Machine Learning

Nyx PDF Classifier suspicious score 0.2934

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://diversecityuk.com/userfiles/file/24781037616.pdf In PDF document text
- https://shipnhanh247.vn/asset/files/foratesepi.pdfIn PDF document text
- https://thefertilizerequipment.com/d/files/84020011852.pdfIn PDF document text
- http://totalfinance.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1607e6215596e3---fizopowovakar.pdfIn PDF document text
- http://bellezaeimagen.com.mx/wp-content/plugins/formcraft/file-upload/server/content/files/160b1e951ebf40---xosuvepanarabolimiditikoz.pdfIn PDF document text
- https://bettenbaehren.de/wp-content/plugins/formcraft/file-upload/server/content/files/16098de030f2d5---nafif.pdfIn PDF document text
- http://lookupagency.es/wp-content/plugins/formcraft/file-upload/server/content/files/16080d61bc63e7---robomananolali.pdfIn PDF document text
- http://gardatrans.com/content/Files/rugatazegimevusu.pdfIn PDF document text
- http://marcth.pl/media/fck/file/13581890829.pdfIn PDF document text
- https://rcot.org/userfiles/file/44688710491.pdfIn PDF document text
- https://srp-galabau-rostock.de/wp-content/plugins/super-forms/uploads/php/files/i0bg1b9snja9o6ckjrt60f0f4p/revamorabetigupuziwenogel.pdfIn PDF document text
- http://makinsushi.com/uploads/files/jijezorogukowugajipafiz.pdfIn PDF document text
- http://tiwtactic.com/userfiles/files/buledunezafokeluzitobibi.pdfIn PDF document text
- https://thriveelearning.com/wp-content/plugins/super-forms/uploads/php/files/29c053eca63ae9c945a7b20fae873a94/4546428503.pdfIn PDF document text
- http://orthocarecentroortopedico.it/userfiles/files/53158103325.pdfIn PDF document text
- http://krikrik.ru/uploads/ckfinder/files/tatidu.pdfIn PDF document text
- https://maturana.cl/upload/file/mazesutuzezavalo.pdfIn PDF document text
- http://dyglas.com/userData/board/file/76925180579.pdfIn PDF document text
- http://bergfin.se/wp-content/plugins/formcraft/file-upload/server/content/files/161038745256ca---xodevumunusotitejelogezid.pdfIn PDF document text
- https://jamiatulbanat.in/wp-content/plugins/formcraft/file-upload/server/content/files/160d2b2d65f043---gejapuwoja.pdfIn PDF document text
- https://bjjewels.net/nbloom/fckuploads/file/kokojelulaxariropib.pdfIn PDF document text
- http://phenix-security.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160866d78780c9---wojubalezobegimubajupowo.pdfIn PDF document text
- https://club-sports.net/uploads/products/files/20772661693.pdfIn PDF document text
- https://claphamjunction.com.au/wp-content/plugins/super-forms/uploads/php/files/913355b3fee433bb7d4118e92afb170a/lozevonukojuwenupog.pdfIn PDF document text
- https://ntct.dz/ckfinder/userfiles/files/41865478195.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/BvfzZFkJO3s/uplcv?utm_term=business+basics+teacher%27s+book+pdfPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0001143f.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1143F	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_01_sfnt_off00012c51.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x12C51	18180 bytes
SHA-256: `d2caf6ff54b04a77b58b67225885d79182b7c7eee4dec0861583c605b2373a11`

Open this report in the interactive analyzer, or submit your own file for analysis.