Malicious PDF — malware analysis report

Static analysis result for SHA-256 01154a94843205bf…

MALICIOUS

PDF

256.7 KB Created: 2022-04-16 20:14:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-05-28
MD5: e1878ba7298e845bef52bfafed8390c7 SHA-1: 5ea6551087944a3d279777ae2397d02aa018efe6 SHA-256: 01154a94843205bf01c0e806797303df66c559e2347f88bd106ceb8e46eadc2d
136 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.6013

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fecuq.co.za/XSRYdR1H?utm_term=create+kahoot+from+spreadsheet PDF link annotation
    • https://sojomirolasa.weebly.com/uploads/1/3/4/3/134325131/madaveb-boxagavunoxunum-muferasilasoro-lusexazazure.pdfIn PDF document text
    • https://nefagowilad.weebly.com/uploads/1/3/4/7/134742945/fafetosaxajif-jiromebejit.pdfIn PDF document text
    • https://anukulagrotech.com/userfiles/file/jizusepex.pdfIn PDF document text
    • https://jofovumilaj.weebly.com/uploads/1/3/2/6/132681264/giwewitusadik_vibigiku_rarepogofu_dunejebikep.pdfIn PDF document text
    • https://gigodetexopisi.weebly.com/uploads/1/3/4/6/134630538/f807706b5ff.pdfIn PDF document text
    • https://nixogizuriv.weebly.com/uploads/1/3/0/7/130740196/5781607.pdfIn PDF document text
    • https://szabobuszrendeles.hu/files/files/54466931501.pdfIn PDF document text
    • https://tovumanaxi.weebly.com/uploads/1/3/5/3/135392352/9043620.pdfIn PDF document text
    • https://paruvinuj.weebly.com/uploads/1/3/5/9/135970142/3139933.pdfIn PDF document text
    • https://nikigetevakawu.weebly.com/uploads/1/3/1/4/131413362/e1f9d0dd4.pdfIn PDF document text
    • https://wuxotiwor.weebly.com/uploads/1/3/4/3/134335057/9968630.pdfIn PDF document text
    • http://packagingandfoodmachinary.com/userfiles/file/sozusomasi.pdfIn PDF document text
    • https://zuveravovizopow.weebly.com/uploads/1/3/0/9/130969477/rilonav.pdfIn PDF document text
    • https://lenimupet.weebly.com/uploads/1/3/4/0/134013040/4927522.pdfIn PDF document text
    • https://rasofenetiko.weebly.com/uploads/1/3/4/8/134862321/4b85c.pdfIn PDF document text
    • https://kajukijuxuvame.weebly.com/uploads/1/3/5/3/135329863/purajowa.pdfIn PDF document text
    • https://nokogijesa.weebly.com/uploads/1/3/1/4/131452879/8267612.pdfIn PDF document text
    • https://nabsangram.com/userfiles/file/gewilamiravadesaroxug.pdfIn PDF document text
    • https://exam11.menapoint.com/app/webroot/upload/files/ketalesa.pdfIn PDF document text
    • https://pujuxapalijened.weebly.com/uploads/1/3/6/0/136009243/mudakuxoweze-vipoledidoxa.pdfIn PDF document text
    • https://mopelajizefuxo.weebly.com/uploads/1/3/0/7/130739073/8135610.pdfIn PDF document text
    • http://dabien.co.kr/wp-content/plugins/formcraft/file-upload/server/content/files/162159c3b7002f---6481696213.pdfIn PDF document text
    • https://todarezete.weebly.com/uploads/1/3/4/6/134650749/punefiwoxeg.pdfIn PDF document text
    • https://jujovokuzaxeg.weebly.com/uploads/1/3/4/8/134884411/wafixubutuku-vogutu.pdfIn PDF document text
    • https://suwudaxodorepe.weebly.com/uploads/1/3/4/8/134885248/nuxamuligozipefami.pdfIn PDF document text
    • https://gokododilu.weebly.com/uploads/1/3/4/5/134578034/5fc38a1ccc50d.pdfIn PDF document text
    • https://lulegosepo.weebly.com/uploads/1/3/0/9/130969478/rafevab.pdfIn PDF document text
    • https://sukanoxe.weebly.com/uploads/1/3/1/4/131453950/jetimifofe-venenu-pofon-puzed.pdfIn PDF document text
    • https://mitrasuksesku.com/userfiles/file/kujinozodematibofi.pdfIn PDF document text
    • https://bibosinusej.weebly.com/uploads/1/3/4/7/134712936/240249.pdfIn PDF document text
    • https://juwasiro.weebly.com/uploads/1/3/4/6/134602181/kojuwovotiriti-noladenosaf-foxuju-vumudekin.pdfIn PDF document text
    • https://smilaxlabs.com/userfiles/files/derabef.pdfIn PDF document text
    • https://lozulijulejibog.weebly.com/uploads/1/3/1/8/131857057/e8354b39e.pdfIn PDF document text
    • https://jinugavov.weebly.com/uploads/1/3/4/4/134438703/savoriputojum.pdfIn PDF document text
    • https://joweralifaj.weebly.com/uploads/1/3/4/3/134350132/mujaravonevusodax.pdfIn PDF document text
    • https://sinukunub.weebly.com/uploads/1/3/4/4/134431456/boroxut.pdfIn PDF document text
    • https://janelexireretof.weebly.com/uploads/1/3/4/6/134630470/tenej_gumerowizago_batodelunuramuw.pdfIn PDF document text
    • https://lewotivegil.weebly.com/uploads/1/3/4/3/134320996/389617.pdfIn PDF document text
    • https://wudajelenap.weebly.com/uploads/1/3/4/4/134470879/doparoduvo.pdfIn PDF document text
    • https://jezogoxus.weebly.com/uploads/1/3/4/4/134402646/femigad.pdfIn PDF document text
    • https://mugevodotigo.weebly.com/uploads/1/3/0/7/130740084/femazupajegakar.pdfIn PDF document text
    • http://pneuservischrudim.cz/files/file/muzekuwakipi.pdfIn PDF document text
    • http://www.hkwebdesign.com.hk/wp-content/plugins/formcraft/file-upload/server/content/files/161fab6d702c69---32582900676.pdfIn PDF document text
    • https://fivixevovisobav.weebly.com/uploads/1/3/1/3/131380347/1defe.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    +3 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00039500.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x39500 10644 bytes
SHA-256: c8b6eb07d4e8b22ae08f02313141284bae6c97f6e3b02738431c06f3fe8931d9
font_01_sfnt_off0003ad6f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3AD6F 17156 bytes
SHA-256: a3407186bcc00c804205e94879a95b176e6c16aa70541c06133d878f87d58f84
font_02_sfnt_off0003da0f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3DA0F 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1