PDF malware analysis — malicious · e69997dcc04aeea6

MALICIOUS

PDF

75.1 KB Created: 2021-09-20 11:12:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: 452a1af4a4e907b862ccc5616996de32 SHA-1: 551b474a55ad29cb7b2424b6fa7c4f1a84e04d61 SHA-256: e69997dcc04aeea6d99b951055260a82508ed25447f947555ae9753142462302

172 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or malware distribution attempt. It contains a link farm pointing to various domains, some of which are hosted on compromised CMS platforms, and includes embedded JavaScript. The presence of urgency lures suggests a social engineering tactic to prompt immediate user interaction with the malicious links.

Machine Learning

Nyx PDF Classifier malicious score 0.9953

Heuristics 8

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://smidgel.ru/uplcv?utm_term=free+youtube+video+downloader+android
- http://www.yemany.com/yemfiles/files/70679587903.pdf
- http://carbontuning.ru/file/74879541119.pdf
- http://turinhotelcompany.com/userfiles/files/83281825981.pdf
- http://pc75.net/upfiles/file/1631328921.pdf
- https://swift-tw.com/lcc/upload/files/63799228907.pdf
- http://wdnederland.nl/file/nuziworulokedexigaj.pdf
- https://drjou-vc.com/upload/files/susazapawe.pdf
- http://www.nisbd.com/wp-content/plugins/formcraft/file-upload/server/content/files/161480a29177f5---56528069050.pdf
- https://calprin.com/ckfinder/userfiles/files/tokufifedobezubibubuk.pdf
- http://www.linkkorea.co.kr/wp-content/plugins/formcraft/file-upload/server/content/files/161479eb8359e9---40445855037.pdf
- https://jamuiboe.com/webroot/upload_media/66597760027.pdf
- http://papinchess.ru/userfiles/file/nafab.pdf
- http://xn----8sbfhu6ab4bqv.xn--p1ai/userfiles/file/21225300712.pdf
- https://agrotehholding.ru/wp-content/plugins/super-forms/uploads/php/files/303c01b157ba3bd14fef61d4bd6f5b9c/56281921392.pdf
- https://griby.biz/ckfinder/userfiles/files/89286191314.pdf
- http://royal-pizza.eu/files/file/58584308016.pdf
- http://studiospazioambiente.it/userfiles/files/kifalukazegotad.pdf
- https://thibiditrading.com/public/userupload/files/81269545760.pdf
- https://ntiverification.com/userfiles/file/48847544601.pdf
- http://nepalbestcargo.com/userfiles/file/jasabenojitelebexuret.pdf
- http://aesg2edcv.handylover.com/upload/files/48097483016.pdf
- https://www.vek-bg.com/app/templates/js/ckfinder/userfiles/files/wemefoneroz.pdf
- https://maintogelonline.info/contents/files/65653699375.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000c3d8.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC3D8	16792 bytes
`font_01_sfnt_off0000dbef.bin` `bf84f0e25069df4c99247934c4ba1fe616b88e8f1cf4d027ee7b836a78e85235`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDBEF	10556 bytes
`font_02_sfnt_off0000f424.bin` `9f518f868592341594951e02828e227d291f69be298727541faa380e429ef695`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF424	16612 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.