Malicious PDF — malware analysis report

Static analysis result for SHA-256 0110178b0fab12ab…

MALICIOUS

PDF

432.7 KB Created: 2022-02-12 00:25:38 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-05-27
MD5: 04c36573d977e9e993737cd222cc104f SHA-1: bc2debf0fd391e4c390ee73fa3474be0d6bbcd36 SHA-256: 0110178b0fab12ab390551a3fc061dfa0a03c8cdafa1e3cbdf62b7b0c3e547bb
144 Risk Score

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3450

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://wirut.co.za/XSRYdR1H?utm_term=catalina+iphone+update++progress PDF link annotation
    • http://atmaircenter.com/lb/userfiles/files/lekirovuwizudapok.pdfIn PDF document text
    • http://osmed.cz/app/webroot/files/files/67987325636.pdfIn PDF document text
    • http://neonatal-surgery.ru/userfiles/files/pagikidopave.pdfIn PDF document text
    • https://lynnesnaturaltreats.com.au/wp-content/plugins/super-forms/uploads/php/files/b7c2cfca6936dae5744d350a619aab8c/geraxifulexati.pdfIn PDF document text
    • http://autofox.lt/ckfinder/userfiles/files/kewob.pdfIn PDF document text
    • http://cameronhaddock.com/wp-content/plugins/formcraft/file-upload/server/content/files/161c6a3e77293f---puvurizajofuf.pdfIn PDF document text
    • http://ranaghatpchsschool.org/userfiles/file/30910170641.pdfIn PDF document text
    • http://adria-ex.com/images/blog/file/86759078026.pdfIn PDF document text
    • https://czus-lukasa.sk/userfiles/file/tutipesifupudevevexativob.pdfIn PDF document text
    • http://doubler-son-capital.com/photos/files/39662463435.pdfIn PDF document text
    • https://mamproducciones.es/wp-content/plugins/formcraft/file-upload/server/content/files/1613ec6fba7991---sedimozarafopipasika.pdfIn PDF document text
    • https://er-cardiff.com/eurostyl/photos/file/kojiwusujegurakugope.pdfIn PDF document text
    • http://irodaszer.lukinserv.hu/file/37829341141.pdfIn PDF document text
    • https://www.kidilangues.fr/js/kcfinder/upload/files/roserofipuko.pdfIn PDF document text
    • https://biomedchita.ru/imeg_master/file/27171754024.pdfIn PDF document text
    • https://smartcirclegroup.com/userfiles/file/makajilalatifaxibives.pdfIn PDF document text
    • https://galaxytraining.examinationonline.com/files/84528633526.pdfIn PDF document text
    • http://undergroundspitters.nl/kcfinder/upload/files/jesonuxuposalowebuvuxujos.pdfIn PDF document text
    • http://ksklinika.ru/ckfinder/userfiles/files/92409778617.pdfIn PDF document text
    • https://supportsurgical.com.br/assets/kcfinder/upload/files/38295721442.pdfIn PDF document text
    • https://willes-gb.com/uploads/files/202110240717478778.pdfIn PDF document text
    • https://techielingo.com/fck_uploads/files/19031960074.pdfIn PDF document text
    • https://trungtammaychieu.com/ad-min/js/libs/kcfinder/upload/files/52763685947.pdfIn PDF document text
    • http://www.movingintofreedom.com/wp-content/plugins/formcraft/file-upload/server/content/files/16165af4bd8ff7---xamerujunuwu.pdfIn PDF document text
    • https://www.hungarianassociation.com/wp-content/plugins/formcraft/file-upload/server/content/files/161822836cf259---wafupe.pdfIn PDF document text
    • https://gerbangkuis.com/contents/files/34791078988.pdfIn PDF document text
    • http://ordinate-ltd.com/file_media/file_image/file/nepejuwulasuzabejewipu.pdfIn PDF document text
    • https://multimetrics.com/ckfinder/userfiles/files/2409027053.pdfIn PDF document text
    • https://unixsensor.com/uploads/files/202112141746508405.pdfIn PDF document text
    • http://kartelabasligi.com/images_upload/files/47879207397.pdfIn PDF document text
    • http://huzatfokozo.hu/editor_up/samudob.pdfIn PDF document text
    • https://ihappywash.com/uploads/files/202112052230169093.pdfIn PDF document text
    • http://108homed.com/userfiles/files/86386958764.pdfIn PDF document text
    • https://b2cdemo.tickets.com/content/files/70204359953.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn extracted file (font_00_sfnt_off0006360e.bin)
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn extracted file (font_00_sfnt_off0006360e.bin)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0006360e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6360E 16560 bytes
SHA-256: 924ad5cb737cfd9a34472b2046831991df4d3950e5f0d7b552a18309318c2ee9
font_01_sfnt_off00064d29.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x64D29 20316 bytes
SHA-256: 505c310a38f05a11995bc4b4e3b6f6b9be6119efc5177666141801b3a7634ffa
font_02_sfnt_off00068385.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x68385 16336 bytes
SHA-256: adf38969d40f501586e0caf93d33991e243baeeecfe575c4831cdbf64b7044fa
font_03_sfnt_off0006998d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6998D 10800 bytes
SHA-256: 18ce605c7cccedf4853c410ce3a4fc21dbaddc1942220cd97607936a512d6eb2