PDF malware analysis — malicious · f778ce03e31f8152

MALICIOUS

PDF

85.8 KB Created: 2021-09-24 02:14:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: ea79817175de120ddc36bb4e6cedb70e SHA-1: 67a41b78dcc4dda282cba5a0d7d79fd904e682d3 SHA-256: f778ce03e31f81528db94f3a38544076c6e8dadb2460fc74a29339e4820d7aa9

196 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF document was flagged by multiple heuristics and an ML classifier as malicious, with ClamAV identifying it as a phishing trojan. The document contains a link farm pointing to various compromised WordPress sites and disposable hosting, suggesting an attempt to distribute malicious content or redirect users to phishing pages. The presence of the 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates the document likely instructs users to open a password-protected archive, a common tactic to evade initial security scans.

Machine Learning

Nyx PDF Classifier malicious score 0.9976

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://krisoc.ru/uplcv?utm_term=android+lire+fichier+txt
- https://festivaldelmaridaje.com/sgi_userfiles/userfiles/files/kopavelubegipetowube.pdf
- http://foto-preiss.at/upload_files/files/65133429353.pdf
- http://graphicon.hu/wp-content/plugins/formcraft/file-upload/server/content/files/161386a778d883---89111012190.pdf
- http://tfh-filter.hu/_user/file/vegubutumakinujugokol.pdf
- http://dblbtech.com/userfiles/file/77066939060.pdf
- http://dichvutot99.com/webroot/img/files/17962485591.pdf
- https://www.officinadelgustoroma.com/wp-content/plugins/super-forms/uploads/php/files/a634bf3e51a74018871c9634ff6913f2/17998024907.pdf
- https://ofertaromania.ro/ckfinder/userfiles/files/46456179176.pdf
- https://hanyauntuktesting.com/contents/files/11011433358.pdf
- http://hotdeals24x7.com/ci/userfiles/files/lezagepejixavegebamowu.pdf
- http://safetyassessmentsolutions.co.uk/ckfinder/userfiles/files/82645809842.pdf
- https://stcc-sa.com/motakamel/Ups/files/89858326381.pdf
- https://sim2007.com/files/zumemufipavepab.pdf
- http://sushiyaslo.com/uploads/files/jesokujofemuvu.pdf
- http://www.whirlpool-beachcomber.at/wp-content/plugins/formcraft/file-upload/server/content/files/1613f96a1b19fe---wabuvimepa.pdf
- https://aedwea.com/upload/foto/5935725766.pdf
- https://netwindowvn.com/uploads/userfiles/file/kimevosusexunux.pdf
- http://sportschoolindex.nl/images/uploads/27873024908.pdf
- http://zoscm.zohukum.com/ckfinder/userfiles/files/29443556405.pdf
- http://ls12368.com/userfiles/file/98427821209.pdf
- http://seattlebestteriyaki.com/uploads/files/57171180591.pdf
- https://mp2020.csysadmin.com/ckfinder/userfiles/files/35051928062.pdf
- http://rmgoals.com/userfiles/files/26439116394.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e7d7.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE7D7	16792 bytes
`font_01_sfnt_off0000ffee.bin` `4d332ff136f65f38d9c6c95371ba6e8122bb9c811055472d7ffd273c437a3b10`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xFFEE	10324 bytes
`font_02_sfnt_off00011715.bin` `747f95c262c2e7b5580b26d077b684335e5f2d1871acd549bc2670113191933b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x11715	19148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.