PDF malware analysis — malicious · ff54fd70245c90a7

MALICIOUS

PDF

106.5 KB Created: 2021-06-29 04:31:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-25

MD5: 7d181dba84ab60753a31e009fcdfc1ec SHA-1: 296ea9b6ae7e6736e363dd0a047343e3ebce3146 SHA-256: ff54fd70245c90a797bca9bc4a154693bffa26f02632a9ad169feef9b87bf117

176 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The 'SE_CALLBACK_LURE' heuristic strongly suggests a callback phishing or tech-support scam pattern, where the document likely prompts the user to call a phone number. While no scripts were extracted, the presence of numerous links to potentially compromised CMS upload storage and disposable hosting points to a link farm or redirection mechanism, likely leading to a malicious payload or phishing page.

Machine Learning

Nyx PDF Classifier malicious score 0.9780

Heuristics 7

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://amirep.com/wp-content/plugins/super-forms/uploads/php/files/824da7e2deead3757eca7341358c6e0d/31680072951.pdf In PDF document text
- http://dinskayarealty.ru/media/file/zasitojoriruladaji.pdfIn PDF document text
- http://anhuishangbiao.com/upload_fck/file/2021-5-16/20210516233918471331.pdfIn PDF document text
- https://www.simcoerecovery.net/wp-content/plugins/super-forms/uploads/php/files/gntuap7i0mq56asppd9tdr60p6/povuv.pdfIn PDF document text
- https://indacphuc.com/wp-content/plugins/super-forms/uploads/php/files/ma04lp8823ukpvuirllvm67dv0/41589553221.pdfIn PDF document text
- https://pankalconstructora.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c9050a1ed4d---sotosaluvurufapepuvumazo.pdfIn PDF document text
- https://aquariumfargo.com/wp-content/plugins/super-forms/uploads/php/files/7661242171b27bf6097e3bbf7bbca70a/23452440337.pdfIn PDF document text
- https://www.jscorporation.co.in/wp-content/plugins/formcraft/file-upload/server/content/files/160a4c4d3ad3a5---tugumipujajujudivoga.pdfIn PDF document text
- http://xperion.hu/wp-content/plugins/super-forms/uploads/php/files/e59a7521dc875a4da7648d323cc49418/38100525080.pdfIn PDF document text
- http://quaint-house.com/57971437484.pdfIn PDF document text
- https://cananalimdar.com/wp-content/plugins/super-forms/uploads/php/files/icu48g45igc3ffpoevdn74eegh/sulubadolalufinu.pdfIn PDF document text
- https://francoisdaulte.com/ckfinder/userfiles/files/93181581310.pdfIn PDF document text
- http://al-bandak.com/userfiles/file/sekofuzomotebo.pdfIn PDF document text
- http://sarljarry.fr/userfiles/file/91800336954.pdfIn PDF document text
- https://www.bountyvacation.com/wp-content/plugins/formcraft/file-upload/server/content/files/16080602a58767---xotijikajebefolipodareno.pdfIn PDF document text
- https://maxflowfans.com/userfiles/file/demim.pdfIn PDF document text
- http://www.asejnrtigers.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160b9b6df158be---13130375746.pdfIn PDF document text
- http://rittenhousereunion.com/clients/a/ad/ad7d26974070b67854a29702aed78614/File/62394492566.pdfIn PDF document text
- http://cuatudongnhatrang.com/uploads/files/loxujunaxevizapo.pdfIn PDF document text
- http://magendans.com/imagefiles/file/xilalulifexasazanobidad.pdfIn PDF document text
- http://localhomesales.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16085f72a31df9---69543040093.pdfIn PDF document text
- http://gingerbreadvillage.org/clients/e/e3/e396b250b60561adcb946853f9f62e29/File/70560624957.pdfIn PDF document text
- http://goraku-sangyo.com/userfiles/file/namumuxij.pdfIn PDF document text
- http://www.sunargrup.com.tr/wp-content/plugins/super-forms/uploads/php/files/nnkgl03vip8as6lfuul9113qr4/toxojilidusepu.pdfIn PDF document text
- https://uaqbakery.com/wp-content/plugins/formcraft/file-upload/server/content/files/16088dfac2e1aa---35691543577.pdfIn PDF document text
- http://kayapaliinsaat.net/file/jiwajomosolasawunapazas.pdfIn PDF document text
- https://emergent-partners.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d56ad617df2---kovaz.pdfIn PDF document text
- https://feedproxy.google.com/~r/Uplcv/~3/3CAf4wW3hvY/uplcv?utm_term=can+you+freeze+cooked+chicken+and+ricePDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://dejavu.sourceforge.netIn PDF document text
- http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00013f66.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x13F66	10656 bytes
SHA-256: `2d8440b9dd40c5c5b8a34f745036d6c1e46d44a916014b29f6d70c74ecde32a9`
`font_01_sfnt_off000157d4.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x157D4	16792 bytes
SHA-256: `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`
`font_02_sfnt_off00016fe6.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x16FE6	17236 bytes
SHA-256: `93b813a90c87305f98cc04014724ee331825007684f3b998ddb08b4cf1235be8`

Open this report in the interactive analyzer, or submit your own file for analysis.