PDF malware analysis — malicious · 4fee97636ca76c7b

MALICIOUS

PDF

70.9 KB Created: 2021-09-27 15:49:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 6e5cea60175d970535f950a4c358184d SHA-1: 6107f0c1a160139ae853ad7d1332297584195733 SHA-256: 4fee97636ca76c7b36ad7b7649fc1d890ef7b55625e1d3d66d8cae1e84e06cca

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF file contains a link farm pointing to various domains, many of which appear to be compromised WordPress sites or disposable hosting. The primary URL includes a UTM term suggesting a lure for 'minecraft pe download for android free', indicating a phishing or scam attempt. The ML classifier and ClamAV detection strongly suggest malicious intent, likely related to phishing or malware distribution.

Machine Learning

Nyx PDF Classifier malicious score 0.9947

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://smidgel.ru/uplcv?utm_term=minecraft+pe+download+for+android+free
- https://noble-worldwide.com/wp-content/plugins/super-forms/uploads/php/files/2451ff7c14c6516682b4e841a2878cd0/fasofurogodefarosulero.pdf
- https://jiu-hang.com/upfiles/editor/files/vesetudovunuzegigewe.pdf
- https://www.projectorrentals.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613070b5d2c3b---nawuzenolilaworefexoku.pdf
- http://training-solutions.ro/wp-content/plugins/formcraft/file-upload/server/content/files/1613e35de5b70a---korajiniratapabe.pdf
- https://balticstroy.com/uploads/files/zuzamel.pdf
- https://rubin2000-distribuitorshop.ro/userfiles/file/lifakorodu.pdf
- http://giprozdraw.ru/ckfinder/userfiles/files/kosojoxanotonode.pdf
- http://tc-muehlacker.de/data/tcmuehlacker/userfiles/file/86683302960.pdf
- http://harchovyk.com/userfiles/file/konuxiwijakapetufobaxo.pdf
- http://puzynowska-kancelaria.com/userfiles/file/20091180430.pdf
- https://get-insurance.in/ckfinder/userfiles/files/jatisoluzobad.pdf
- http://jujucuisine.com/userfiles/file/71145105060.pdf
- http://yepuco.com/uploads/files/kunamoxunexamofov.pdf
- http://getrade.net/uploadfiles/file/nozamumukili.pdf
- http://donkaew-furniture.com/ckfinder/userfiles/files/26299752342.pdf
- https://bharatiyabhashaparishad.org/ckfinder/userfiles/files/pitisapesusexozanedijibug.pdf
- http://asavn.vn/uploads/userfiles/files/66489904249.pdf
- http://aeskulap24h.de/wp-content/plugins/formcraft/file-upload/server/content/files/161408f0950f24---xugaworujoboxipujije.pdf
- http://mocphatreal.com/assets/images/ckfinder/files/12750840641.pdf
- https://tahsindincer.com/upload/ckfinder/files/xojepesibotipimurozov.pdf
- http://wtmongolia.com/materials/file/latolopapajokoburun.pdf
- http://gryfarmerskie.pl/pliki_wyswig/files/82292597328.pdf
- http://quangcongluc.com/upload/files/raretofe.pdf
- https://auto826.vnpec.xyz/uploads/files/butikawitufiwuf.pdf
- http://vmkmsz.hu/userfiles/file/90068463064.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000b2ff.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB2FF	16792 bytes
`font_01_sfnt_off0000cb16.bin` `11ab81c8fe31ec38c05e9f62853caadf42b83107fb1dd8b17166673c0bf3d28b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCB16	10524 bytes
`font_02_sfnt_off0000e334.bin` `ce92f04c86545a9cadbdda46d8214eed00f886b48d6607a5456cbff3897197c4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE334	16724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.