PDF malware analysis — malicious · fe599a8dc7b3add3

MALICIOUS

PDF

93.7 KB Created: 2021-09-05 22:05:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07

MD5: b358a23a61998477d6d86b15827b7cef SHA-1: 028eaa4d087c22dad7301a4c80677a8e59c5bfc2 SHA-256: fe599a8dc7b3add360288d273c0a0244377454c624a6ef23425ecbb9c8a23151

124 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file contains a large number of external links, many of which point to compromised WordPress upload directories. The ClamAV detection 'Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0' strongly suggests a phishing or trojan distribution intent. The file's structure as a link farm on potentially compromised or disposable hosting further supports this malicious purpose.

Machine Learning

Nyx PDF Classifier suspicious score 0.2938

Heuristics 5

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://www.tai.gr/wp-content/plugins/formcraft/file-upload/server/content/files/1606cb1666f0ab---palasedati.pdf In PDF document text
- http://liily.jp/upload/file/20210725122844.pdfIn PDF document text
- https://micast.de/wp-content/plugins/super-forms/uploads/php/files/oiut6cpenob7qj5cqbj9p0pv1j/56860897578.pdfIn PDF document text
- http://c2mag.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607bf60c901aa---96017989257.pdfIn PDF document text
- https://www.gasserbush.com/wp-content/plugins/super-forms/uploads/php/files/6570da27faa5be8552aca473b518be93/49611374689.pdfIn PDF document text
- https://kodeac.com/wp-content/plugins/super-forms/uploads/php/files/4fj9kl0ito4kfbsb9j3o9ab5e1/98813091647.pdfIn PDF document text
- http://verdantnorwich.com/clients/3/30/306756bb587dffcd11ca74610d845a16/File/katanuvedilolujamujan.pdfIn PDF document text
- http://champagne-marc-chauvet.com/images/files/fozupikipevopuxala.pdfIn PDF document text
- https://tedvandergulik.nl/userimages/file/72296547334.pdfIn PDF document text
- http://brezov-gaj.si/uporabnik/file/nexinamalopamovagov.pdfIn PDF document text
- http://www.publicitymailing.ie/wp-content/plugins/formcraft/file-upload/server/content/files/16099185eceb8c---84060359507.pdfIn PDF document text
- http://caribsplash.org/wp-content/plugins/formcraft/file-upload/server/content/files/160c6bf91b4223---31983398807.pdfIn PDF document text
- https://traonguoc.vn/wp-content/plugins/super-forms/uploads/php/files/t9rka0bd8i3e221efp280pras4/jumatebusoruludo.pdfIn PDF document text
- https://www.higher-energy-trampolineclub.com/wp-content/plugins/formcraft/file-upload/server/content/files/160e45053c5f44---dixilijagaxanuza.pdfIn PDF document text
- https://realwebguys.com/wp-content/plugins/formcraft/file-upload/server/content/files/16080710a66812---wonuzujaxubagazikupup.pdfIn PDF document text
- http://nmglyxx.com/userfiles/file/boxibefixolopigub.pdfIn PDF document text
- http://romanakladatelstvi.cz/userfiles/file/63212103272.pdfIn PDF document text
- https://jmtours.co/aym_image/files/dilelapuzubax.pdfIn PDF document text
- https://valubil.com/public/uploads/cms_file/cms_files/laneruguwobutabexofavixav.pdfIn PDF document text
- https://etimes.mn/uploads/files/piligamojafixofimaja.pdfIn PDF document text
- https://triptoboloyfoundation.org/editorsfiles/files/zukeno.pdfIn PDF document text
- http://ptsound.com/plugins/ckfinder/userfiles/files/85546598095.pdfIn PDF document text
- https://vannordenvastgoed.nl/userfiles/file/37372566894.pdfIn PDF document text
- http://ombs.ru/uploads/files/vaxumudazidap.pdfIn PDF document text
- https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/PmAiG5ZyT-k/uplcv?utm_term=relationship+between+morphology+and+syntax+pdfPDF link annotation
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0001203c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1203C	19792 bytes
SHA-256: `2ad5e60f9b568fa46761ae8004741d748273f706d9c4b252bdf1ab7ef01c9cb7`
`font_01_sfnt_off000153da.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x153DA	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`

Open this report in the interactive analyzer, or submit your own file for analysis.