PDF malware analysis — malicious · fa0df87a8910b866

MALICIOUS

PDF

93.7 KB Created: 2021-08-31 18:28:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-21

MD5: 1f01af0d1a129fa2f5aa086df24f769d SHA-1: fc22362c40b6d11cdfd929c367a86357cccfbec6 SHA-256: fa0df87a8910b86626ae509ba7b84bb50102b26e9644f4e312f012b89b263876

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a link farm directing users to multiple external URLs, some of which host further PDFs. ClamAV detected this file as a phishing trojan, and ML classification also flagged it as malicious. The presence of numerous links to potentially compromised CMS upload directories suggests a campaign to distribute further malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.5160

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://karapinarinsaat.net/userfiles/upload/file/92786906558.pdf In PDF document text
- https://ncfouting.com/wp-content/plugins/formcraft/file-upload/server/content/files/1610f20a0a631c---jerozoreveno.pdfIn PDF document text
- https://olivier-daulte.com/ckfinder/userfiles/files/14999876074.pdfIn PDF document text
- http://www.contal-farmer.com/uploads/files/gemudikoboxefinum.pdfIn PDF document text
- http://krupongs.com//images/file/94587058014.pdfIn PDF document text
- https://soudurelausiere.ca/upload/editor/file/tiduwojo.pdfIn PDF document text
- https://enville.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607201f2c37be---86528649099.pdfIn PDF document text
- https://voolabs.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608a18a258304---ripewodipitevakaluzu.pdfIn PDF document text
- http://workontext.ru/media/file/41989052105.pdfIn PDF document text
- http://izdepskifamily.com/clients/1/1a/1adacdf247316bc4617b3617d965acc7/File/poxilomelidiki.pdfIn PDF document text
- http://photo-preiss.com/upload_files/files/nemimujanenifozipuju.pdfIn PDF document text
- http://bamt.be/wp-content/plugins/formcraft/file-upload/server/content/files/1609c55f39c9da---febemofiga.pdfIn PDF document text
- https://doctorchina168.com/upload/files/81528876952.pdfIn PDF document text
- https://astdubai.co/userfiles/files/61978421874.pdfIn PDF document text
- http://www.drop-lok.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609aa2c3b6e47---vixufi.pdfIn PDF document text
- http://oasis-inwaste.asia/files/file/92988084776.pdfIn PDF document text
- http://dissanna.com/temp/fckeditor/file/laxejine.pdfIn PDF document text
- https://harkakotony.hu/UserFiles/file/fuvoperininukagotan.pdfIn PDF document text
- https://mercerapparelss.com/userfiles/files/vitezeropadinuboj.pdfIn PDF document text
- http://totalfinance.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1607c650d88a2a---monusujixav.pdfIn PDF document text
- https://tongdaidoanhnghiep.com/app/webroot/upload/files/40998543088.pdfIn PDF document text
- http://gf-location.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1608c79fab61fd---jivesuwupatadezef.pdfIn PDF document text
- https://chung-pei.com/userfiles/file/7522605777.pdfIn PDF document text
- http://smith-williamssisters.com/clients/d/dd/dd6cbc7353a6ef31c13ccaa63ab862ac/File/16474280254.pdfIn PDF document text
- http://skupka54.ru/upload/m/8972329148.pdfIn PDF document text
- https://www.urban-quartz.co.uk/wp-content/plugins/super-forms/uploads/php/files/86bbaca1cf416fe3644ee15962fb883e/lofopesobuxilazujejewop.pdfIn PDF document text
- http://travelport.pl/userfiles//file/96524974592.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/3vuEKuznOb8/uplcv?utm_term=cpm+by+country+2020PDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0001221b.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1221B	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_01_sfnt_off00013a32.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13A32	10560 bytes
SHA-256: `83a8bf0d4c396d9faa97e43a155b9e59f84888ea247a0a2f0aef32ee5936fb9b`

Open this report in the interactive analyzer, or submit your own file for analysis.