PDF malware analysis — malicious · fc3ce9c264b28903

MALICIOUS

PDF

79.3 KB Created: 2021-06-29 22:03:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-13

MD5: 74024b44fc463d9b3e75ec3a732c06cf SHA-1: 62b1f6b2e3c2e59333bb6efe58bcf2e5a5b7fdd8 SHA-256: fc3ce9c264b289030df4ab0f7d362ac07d4aa58b5320fd7d8075e92c285ee4ce

164 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains embedded JavaScript and a link farm pointing to compromised WordPress sites, suggesting it's designed to redirect users to malicious content. The presence of external URIs and a link farm indicates an attempt to distribute further payloads or conduct phishing attacks.

Machine Learning

Nyx PDF Classifier malicious score 0.9846

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://oniceh.ru/uplcv?utm_term=metaphor+and+metonymy+at+the+crossroads PDF link annotation
- http://kaplanpm.com/wp-content/plugins/formcraft/file-upload/server/content/files/16094bee4b61a1---vetulubepuvukoguvekagik.pdfIn PDF document text
- https://trichynext.com/wp-content/plugins/super-forms/uploads/php/files/c5919ef11fee3674fd499ab2260607bf/84952185163.pdfIn PDF document text
- http://pphu-joanna.pl/fckpliki/file/dowubixofemumubixasapoj.pdfIn PDF document text
- https://www.euroservicemilano.it/wp-content/plugins/formcraft/file-upload/server/content/files/160793e81d19ab---jaforelijivig.pdfIn PDF document text
- http://www.assignproject.com/wp-content/plugins/formcraft/file-upload/server/content/files/160807e620dd15---9466432751.pdfIn PDF document text
- https://claphamjunction.com.au/wp-content/plugins/super-forms/uploads/php/files/8a2145c56099d7536ad7d0b5ca4ab654/dapajajefixa.pdfIn PDF document text
- https://www.treehousecare.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607145bb89174---vubudexokerosivitofikoten.pdfIn PDF document text
- http://aldo-ins.com/userfiles/file/75066760539.pdfIn PDF document text
- http://brodart01.com/wp-content/plugins/super-forms/uploads/php/files/0fadv25bomof1q3k6cajql0p44/duserodurexorajifit.pdfIn PDF document text
- http://jtour.vn/userfiles/file/93475631856.pdfIn PDF document text
- https://www.diktu.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ac1138c40bd---25972330508.pdfIn PDF document text
- http://seashoresilverlabradors.com/clients/4/48/482fd9669fb3260065120a60ccac5e48/File/vamuvepokokufakobikebeba.pdfIn PDF document text
- http://smithmurdock.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a45888305dd---wodepapitagolowurapuvepaz.pdfIn PDF document text
- http://aarogyamedico.com/userfiles/file/67118227848.pdfIn PDF document text
- http://abpaluso.com/upload/file/xirozedudulotaw.pdfIn PDF document text
- http://drvision.org/wp-content/plugins/formcraft/file-upload/server/content/files/1609c24e8d00eb---5844157100.pdfIn PDF document text
- http://modnyi-buket.ru/uploads/files/70473308267.pdfIn PDF document text
- http://3duct.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a080411831e---jawetopezazugizowepesi.pdfIn PDF document text
- http://kindervakantieweekdeurne.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1607a4ddb7fea7---kumap.pdfIn PDF document text
- https://jgmurphy.com/wp-content/plugins/super-forms/uploads/php/files/a8232bc46a0bd1f08d2a7a59c13629b8/77434343587.pdfIn PDF document text
- https://sheenabusesandcoaches.com/userfiles/file/79456778033.pdfIn PDF document text
- http://pck.malopolska.pl/wp-content/plugins/super-forms/uploads/php/files/114fd88db62138bf336ab90c9a129908/kutawazanupika.pdfIn PDF document text
- https://globportal.com/upload/userfiles/files/34115288454.pdfIn PDF document text
- http://arserwood.com/js/fckeditor/editor/filemanager/connectors/php/connector.php/upfiles/file/210606065037868871pi49eg.pdfIn PDF document text
- http://peaceinsrilanka.lk/userfiles/file/jatijabegowuvijubiv.pdfIn PDF document text
- https://masterok-kovka.ru/wp-content/plugins/super-forms/uploads/php/files/bc4d1108dbbd7b43c36c78f24d368b0e/suxusiburumilifunebodesak.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000cfcd.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCFCD	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_01_sfnt_off0000e7df.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE7DF	18856 bytes
SHA-256: `b2dc08f59354b7dbe7fe4640f217ea5be29545c3adab8fe364df039b13fe8ab1`
`font_02_sfnt_off000116eb.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x116EB	10748 bytes
SHA-256: `8e856177dc5607d4ebdee8b26ab1306b177f23981a5c6e0b44601c8c98fca7d1`

Open this report in the interactive analyzer, or submit your own file for analysis.