Malicious PDF — malware analysis report

Static analysis result for SHA-256 08036774991543d8…

MALICIOUS

PDF

347.9 KB Created: 2022-04-28 01:29:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2026-05-21
MD5: 0883d7e9cb114e334be514bd57f6334d SHA-1: b5eb85a1ff745abec8ad557860a406ec32e65082 SHA-256: 08036774991543d831acdf7db50b1dd50e87898fefcccf1d1c1981d2c6642716
166 Risk Score

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4815

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Travel-support phone-number stuffing scam critical SE_TRAVEL_SUPPORT_PHONE_SCAM
    Document repeats phone numbers in airline/travel/refund/support language, often across multiple regional phrasings. This matches SEO/support-scam PDFs that impersonate airlines or travel brands and route users to attacker-controlled call centers rather than a normal travel document.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://sipopomek.weebly.com/uploads/1/3/4/6/134632846/ad73a01.pdf In PDF document text
    • https://nobexuliga.weebly.com/uploads/1/3/1/4/131405940/banojo_zubepojitaxaj.pdfIn PDF document text
    • https://gebiralegesexi.weebly.com/uploads/1/3/0/8/130814020/ribufikofo.pdfIn PDF document text
    • http://studiolegalebisantis.it/userfiles/files/tuguwoboramefepetezoxewo.pdfIn PDF document text
    • https://kebonipima.weebly.com/uploads/1/3/0/7/130740513/f9b1eb27f3dc2e.pdfIn PDF document text
    • http://professionalcsali.hu/admin/ckeditor/kcfinder/upload/files/kugododirid.pdfIn PDF document text
    • https://lisesadavageg.weebly.com/uploads/1/3/1/4/131438313/kusenosalivinivopi.pdfIn PDF document text
    • https://kurtoglumob.com/upload/file/90077412705.pdfIn PDF document text
    • https://dajetulanew.weebly.com/uploads/1/3/4/3/134309067/metepakowida-gulosozebolako-fenidominul.pdfIn PDF document text
    • https://nesojikav.weebly.com/uploads/1/3/1/3/131398336/pipoboroliz.pdfIn PDF document text
    • http://archidaldegan.eu/userfiles/files/45370091637.pdfIn PDF document text
    • https://fsreloading.com/userfiles/files/98332426504.pdfIn PDF document text
    • https://bebemabuvi.weebly.com/uploads/1/3/1/4/131453051/delagigupum-bemosobomaj.pdfIn PDF document text
    • https://negedawitadunez.weebly.com/uploads/1/3/4/5/134587096/45c7ffa5d1ec17.pdfIn PDF document text
    • http://imbirimbir.ru/files/84166436092.pdfIn PDF document text
    • http://www.etoiles-recrutement.com/wp-content/plugins/formcraft/file-upload/server/content/files/16220c74e3dccd---95904102170.pdfIn PDF document text
    • http://ibconsulting.it/userfiles/files/pibavodafitupetaxes.pdfIn PDF document text
    • http://manu-transport.com/documents/file/90766286858.pdfIn PDF document text
    • https://lemizufez.weebly.com/uploads/1/4/1/3/141338222/5068672.pdfIn PDF document text
    • https://xebagaxasu.weebly.com/uploads/1/3/4/8/134878678/nesiniwaremikes.pdfIn PDF document text
    • http://www.yemany.com/yemfiles/files/48596288148.pdfIn PDF document text
    • https://gekubuneka.weebly.com/uploads/1/3/4/0/134041200/kiturafireseba.pdfIn PDF document text
    • https://piguvedulo.weebly.com/uploads/1/3/4/7/134724556/1653daf7.pdfIn PDF document text
    • https://posetili.ru/userfiles/file/xunutuda.pdfIn PDF document text
    • http://www.marcado.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16230c2b0b3446---76871355467.pdfIn PDF document text
    • http://textstricker.de/benutzerdateien/11030056956.pdfIn PDF document text
    • http://kaav.org/kcfinder/upload/files/valokubal.pdfIn PDF document text
    • https://xepebujusu.weebly.com/uploads/1/3/4/3/134319702/1527516.pdfIn PDF document text
    • http://recentitsolutions.com/userfiles/file/lojefuwamul.pdfIn PDF document text
    • http://lavalnerina.com/userfiles/file/20125616645.pdfIn PDF document text
    • https://zobupevebidibet.weebly.com/uploads/1/3/3/9/133997179/vasewegatebijokiji.pdfIn PDF document text
    • http://dbexpertise.fr/catalogue_dynamique/file/gotibi.pdfIn PDF document text
    • http://virtuozi.ru/sites/all/sites/virtuozi.ru/files/44104772611.pdfIn PDF document text
    • https://ikayros.com/app/webroot/upload/files/44197542171.pdfIn PDF document text
    • https://kuserivexujeza.weebly.com/uploads/1/3/4/3/134331384/dajakimoxu-pipagavizudenim-davuwusiw-busotivawodaver.pdfIn PDF document text
    • https://wijimoki.weebly.com/uploads/1/3/4/4/134485243/furepuga.pdfIn PDF document text
    • http://anexbd.com/assets/ckeditor/kcfinder/upload/files/93859976027.pdfIn PDF document text
    • http://impress-solution.com/file_media/file_image/file/11742385625.pdfIn PDF document text
    • http://biplano.eu/userfiles/files/mogadaletotigorar.pdfIn PDF document text
    • http://gorisum.net/fckeditor/upload_file/file/31803053844.pdfIn PDF document text
    • https://jonenatone.weebly.com/uploads/1/3/1/8/131872225/govamad.pdfIn PDF document text
    • http://www.sunarnuricomuisvealisverismerkezi.com/wp-content/plugins/super-forms/uploads/php/files/ja8a6529nrguo21br5n83htc66/31193861813.pdfIn PDF document text
    • https://jodeliloku.weebly.com/uploads/1/3/5/9/135975589/6697568.pdfIn PDF document text
    • https://flyingfish-stay.com/userfiles/file/nugebunaganipunorufi.pdfIn PDF document text
    • https://nalavawe.weebly.com/uploads/1/3/3/9/133997318/kovefudoboseguzeb.pdfIn PDF document text
    • https://lomodujumozib.weebly.com/uploads/1/3/4/5/134588848/fifasazigogarano.pdfIn PDF document text
    • https://wojasatog.weebly.com/uploads/1/3/4/7/134765175/menitodusuruwubozazu.pdfIn PDF document text
    • http://kubablimel.pl/Image/files/mimotat.pdfIn PDF document text
    • https://fecuq.co.za/XSRYdR1H?utm_term=defamation+of+character+letter+template+ukPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    +7 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0004fd38.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4FD38 18992 bytes
SHA-256: ee1573806868491aa40d35caaced883f67f7ddaee6a248425f09465baa842d38
font_01_sfnt_off00052d85.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x52D85 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off000545a3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x545A3 10772 bytes
SHA-256: 4c3aa10531276672c6c24e56cdf8c0b6cceb74daebecb7a62e61a9f2960928e6