PDF malware analysis — malicious · fa68f6ed4aadd582

MALICIOUS

PDF

132.6 KB Created: 2021-07-01 19:28:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12

MD5: efd62521a4263c43311b00ed51906ae8 SHA-1: 94708922b30b4752f28f42ce4397c3fef210328c SHA-256: fa68f6ed4aadd58243d0bbf9a99545a49e1af06537ba11b42a740e9c6df50177

196 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The document contains numerous links to external websites, many hosted on compromised WordPress installations, suggesting it functions as a link farm to distribute malware or facilitate phishing. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' further suggests that the document may be intended to trick users into downloading a password-protected archive, a common tactic to bypass security filters.

Machine Learning

Nyx PDF Classifier malicious score 0.9792

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://krisoc.ru/uplcv?utm_term=dhoom+2+tamil+dubbed+tamilrockers PDF link annotation
- http://aberdeeneyes.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1609020987e776---65743098174.pdfIn PDF document text
- http://heilpraxis-pankow.de/wp-content/plugins/formcraft/file-upload/server/content/files/1609742ec96897---reketivilapulajeju.pdfIn PDF document text
- https://janeunchained.com/wp-content/plugins/super-forms/uploads/php/files/ibmvlh42tfslqoib1heqrmidbu/vamizizavexivo.pdfIn PDF document text
- https://arihantgranites.in/wp-content/plugins/super-forms/uploads/php/files/b1364i9duo1tjfeb8mubcc66i7/43221087749.pdfIn PDF document text
- http://chicagohalo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606e84a240628---40592421162.pdfIn PDF document text
- http://www.gametimecatering.com/wp-content/plugins/formcraft/file-upload/server/content/files/160916f6141813---6626019223.pdfIn PDF document text
- https://earthideasawnings.com/wp-content/plugins/formcraft/file-upload/server/content/files/160968fa50df7c---43178090595.pdfIn PDF document text
- https://messianic.live/wp-content/plugins/super-forms/uploads/php/files/93ca9ed21506176bf07be17ad0d6e647/telasidakoriga.pdfIn PDF document text
- https://www.elementstraining.co.uk/wp-content/plugins/super-forms/uploads/php/files/v69hifmtt4bvu59tont8n829cu/59176725727.pdfIn PDF document text
- https://www.traveltimevipp.com/wp-content/plugins/super-forms/uploads/php/files/ab2bd9d96e61939cd537476d898e83a5/disiguserimujim.pdfIn PDF document text
- https://jiptv.nl/wp-content/plugins/super-forms/uploads/php/files/36qf39nitu127v4nt3aubhomil/laxexotigotivov.pdfIn PDF document text
- https://razvozka24.ru/wp-content/plugins/super-forms/uploads/php/files/692e16b61dc7c537ae1eb1f9c339d772/49137022225.pdfIn PDF document text
- http://hchs1972.com/clients/2/2c/2cb73362227bcfbd3ed6ae01b5b3dc46/File/53042084000.pdfIn PDF document text
- http://www.srijonihealinghome.com/fckimages/file/jefatunu.pdfIn PDF document text
- http://praconsulgroup.ru/pict/file/libubijemebisunibukutax.pdfIn PDF document text
- http://tcsm62.org/uploads/news/file/zizoganubide.pdfIn PDF document text
- https://borderpak.com/wp-content/plugins/super-forms/uploads/php/files/eee8f804ae4c8d0c86c7c221b1059743/rudekuvavigimumiwidela.pdfIn PDF document text
- https://vidolamerica.org/wp-content/plugins/super-forms/uploads/php/files/7fb1df64508b653ededd0f278a777dfd/264028730.pdfIn PDF document text
- https://discoverapartmentsforrent.com/wp-content/plugins/super-forms/uploads/php/files/d0a2f21606055e8d05a0914b9a497f22/47381316058.pdfIn PDF document text
- https://catherinehourihan.art/wp-content/plugins/super-forms/uploads/php/files/b11f8484bc0548e647d364910a3760fc/33878733700.pdfIn PDF document text
- http://bbmeti.it/userfiles/files/49390555655.pdfIn PDF document text
- https://home18.ru/wp-content/plugins/super-forms/uploads/php/files/8a435d0cccc3bd76edb000ab93770d10/godakumufezipa.pdfIn PDF document text
- http://www.infos-lentilles-de-contact.com/images-sites/files/68490101725.pdfIn PDF document text
- https://www.beewellrx.com/wp-content/plugins/super-forms/uploads/php/files/tmp/47873696485.pdfIn PDF document text
- http://abogadosaguilar.com/ckfinder/userfiles/files/82205632385.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0001814e.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1814E	18908 bytes
SHA-256: `1b7d18cb7de54acf630048d2700dbace2ba0bf438ab08b42f066ed50fb05a5d4`
`font_01_sfnt_off0001b40b.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1B40B	10984 bytes
SHA-256: `a647e9a4d14c7834fbf2db15d354e9e18a23613e2e5349aac6b756055ec489ba`
`font_02_sfnt_off0001cd9c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1CD9C	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_03_sfnt_off0001e5ad.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1E5AD	16084 bytes
SHA-256: `d11bfa2b02c462a3f9075532ce7ec1132ca3691ccd6a850e0dcf0119a218c04c`
`font_04_sfnt_off0001fadc.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1FADC	1828 bytes
SHA-256: `2ba5f6bc5237a066e45a64d97ae3ede589a429b88d2aff4fd3747a8408f1e923`

Open this report in the interactive analyzer, or submit your own file for analysis.