Malicious PDF — malware analysis report

Static analysis result for SHA-256 0112c230582e4c61…

MALICIOUS

PDF

263.4 KB Created: 2022-04-09 06:23:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-05-28
MD5: 53fae04a5a852a51c58ee4bb2c979e53 SHA-1: 6e42dfb28ef83b207bbbd49742223805d95cbb1d SHA-256: 0112c230582e4c614a60de0fdc77b6dc940ed9e2cadaeca95469ec829ef8beff
136 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.5383

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://norin.co.za/XSRYdR1H?utm_term=lazy+boy+sectional+replacement+parts PDF link annotation
    • https://tokarakuwo.weebly.com/uploads/1/3/0/9/130969339/pozazukirutabexezovu.pdfIn PDF document text
    • https://samituvejasuw.weebly.com/uploads/1/3/1/4/131406365/3992139.pdfIn PDF document text
    • https://komipakokituk.weebly.com/uploads/1/3/5/9/135993761/gobiremuwotugaju.pdfIn PDF document text
    • https://tabekobos.weebly.com/uploads/1/3/4/8/134869214/foxixewepinak-lirodozula-geponewowavuve-pukebe.pdfIn PDF document text
    • https://fupotitora.weebly.com/uploads/1/3/4/8/134883452/3888359.pdfIn PDF document text
    • https://noxubesepa.weebly.com/uploads/1/3/7/4/137499292/5210435.pdfIn PDF document text
    • https://jelalikobujemup.weebly.com/uploads/1/4/1/3/141362025/4066400c9575e60.pdfIn PDF document text
    • http://dirpub.org/editor/ckfinder/userfiles/files/37065304634.pdfIn PDF document text
    • http://zh-huaxun.com/uploadfiles/files/savatirolatiliwatikaw.pdfIn PDF document text
    • https://fetalikorexi.weebly.com/uploads/1/3/5/3/135316283/3010176.pdfIn PDF document text
    • https://pefuxagofir.weebly.com/uploads/1/3/4/3/134359429/9370853.pdfIn PDF document text
    • https://panumelu.weebly.com/uploads/1/3/4/6/134668876/8944754e.pdfIn PDF document text
    • https://xofenozupe.weebly.com/uploads/1/3/4/5/134500057/nevuvekiloxet.pdfIn PDF document text
    • https://senugosuka.weebly.com/uploads/1/3/1/4/131454109/3783111.pdfIn PDF document text
    • https://dofemavuxowag.weebly.com/uploads/1/3/0/7/130739836/rufigizonefufukaw.pdfIn PDF document text
    • https://fuwamelewupo.weebly.com/uploads/1/3/4/1/134131589/7201899.pdfIn PDF document text
    • https://tekemuwuva.weebly.com/uploads/1/3/0/7/130775778/7fbd3b383a714.pdfIn PDF document text
    • https://rikelakejif.weebly.com/uploads/1/3/4/8/134885243/logafexuteruz-wifomefikadoba.pdfIn PDF document text
    • https://niritopep.weebly.com/uploads/1/3/4/6/134634222/7897160.pdfIn PDF document text
    • https://nubugudapo.weebly.com/uploads/1/3/2/8/132814946/3a998ac309fa.pdfIn PDF document text
    • https://metapuxin.weebly.com/uploads/1/3/4/6/134633213/pabirupux_vataza_saduwop_xubobewilaruki.pdfIn PDF document text
    • https://kukiramofup.weebly.com/uploads/1/3/1/4/131413837/379306.pdfIn PDF document text
    • https://viberizenuge.weebly.com/uploads/1/3/1/8/131857204/vuzibumedak.pdfIn PDF document text
    • https://dolomepo.weebly.com/uploads/1/3/4/3/134355842/a5711ffed183.pdfIn PDF document text
    • https://tujuzixokizaw.weebly.com/uploads/1/3/4/7/134738061/5494930.pdfIn PDF document text
    • http://huyndaicaudien.com/upload/files/tidororigujufazo.pdfIn PDF document text
    • https://zuvurakos.weebly.com/uploads/1/3/4/0/134042350/6434279.pdfIn PDF document text
    • http://all-paca.com/ckeditor/ckfinder/core/connector/php/uploads/files/wowasofaliveliwamasawu.pdfIn PDF document text
    • https://highendteen.com/userfiles/files/89033475757.pdfIn PDF document text
    • https://tabodixab.weebly.com/uploads/1/3/4/5/134585887/kijekiko.pdfIn PDF document text
    • https://jibajupo.weebly.com/uploads/1/3/1/6/131636806/nojolazo.pdfIn PDF document text
    • https://zejikato.weebly.com/uploads/1/3/3/9/133997407/9c30108a1.pdfIn PDF document text
    • https://neposetami.weebly.com/uploads/1/3/4/6/134691268/5272095.pdfIn PDF document text
    • https://penugevofubelig.weebly.com/uploads/1/3/1/1/131164238/mifuralix-zezelaxudolefix-warale.pdfIn PDF document text
    • https://rodusebit.weebly.com/uploads/1/3/0/8/130874039/vexufipi.pdfIn PDF document text
    • https://wefamojugibe.weebly.com/uploads/1/3/1/1/131164519/lafilozu.pdfIn PDF document text
    • https://pagajunudew.weebly.com/uploads/1/3/5/9/135992687/jigularekewivi.pdfIn PDF document text
    • https://bokixewabukogu.weebly.com/uploads/1/3/4/3/134341992/6939148.pdfIn PDF document text
    • https://vupebuxotilejo.weebly.com/uploads/1/3/0/8/130814562/c383f37becbf9.pdfIn PDF document text
    • https://vokesilito.weebly.com/uploads/1/3/4/4/134400786/2114711.pdfIn PDF document text
    • https://dotozirijekuzo.weebly.com/uploads/1/3/4/3/134315872/fovud-popazulifesaw.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn extracted file (font_00_sfnt_off00038e49.bin)
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn extracted file (font_00_sfnt_off00038e49.bin)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00038e49.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x38E49 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0003a660.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3A660 10808 bytes
SHA-256: bb99cee8729e99c08171d40fda0a78b283096825280cf844366a59735e7aa06d
font_02_sfnt_off0003bf1f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3BF1F 16160 bytes
SHA-256: 4ac500d6e3c0ff81b9d7bba6b662cc1b6c57f4f8b05facc13edcda647588841f
font_03_sfnt_off0003d495.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3D495 21700 bytes
SHA-256: c3bc6c417eff3d1c3e4a5ff2de5e0bec4510fc72ace719e38fa67e24222c79f0